Data controller vs data processor: what’s the difference?

The concept of data controllers and data processors has been around for years, but the roles come with clearly defined responsibilities under the GDPR (General Data Protection Regulation).

In this blog, we take a close look at what a data controller and processor does and how they fit into your organisation.

What is a data controller?

A data controller determines the purposes for which an organisation collects and uses personal data. They can be an individual or a group, but as long as they have the authority to decide how and why information should be processed, they are a data controller.

However, the GDPR’s obligations mean that you can’t just start gathering personal information. You need a lawful basis, and it’s the data controller’s responsibility to decide which basis applies and to document their justification.

Data controllers must also determine:

  • What types of personal data to collect (names, contact information, etc.);
  • Whose personal data to collect;
  • Whether the information will be shared with a third party and, if so, which one(s);
  • When and where data subjects’ rights apply;
  • How long the data will be retained; and
  • Whether to make non-routine amendments to the data.

What is a data processor?

A data processor is the person or organisation that handles personal data on behalf of the controller.

In general, data processors will be expected to:

  • Oversee the logistics of data processing;
  • Determine how to store the collected information;
  • Ensure that the information is secure;
  • Determine how to transfer personal data;
  • Ensure that a retention schedule is adhered to; and
  • Decide how sensitive data should be disposed when it’s no longer needed.

However, this isn’t to say that the data processor must do exactly what the controller demands. Before processing any information, both parties must sign a contract agreeing to their responsibilities.

The contract must state that data processors may act only on the data controller’s documented instructions, that they won’t contract a sub-processor without prior approval, and that they will delete or return all personal data to the data controller at the of the contract.

Are you a data controller or a data processor?

Understanding your role as either a data controller or data processor requires you to identify the differences between the two roles.

Say, for example, that you are a marketing executive at a retailer who wants to conduct a survey on shoppers’ browsing habits.

That would make you a data controller. As such, you must find a data processor to conduct the survey and provide them with the necessary information to complete that task.

If you fail to do that, you’ve violated the GDPR and are subject to disciplinary action. The repercussions are even worse if the data processor suffers a data breach, because you’ll be liable for any mistakes they make.

However, it’s not always that simple. The GDPR permits two or more organisations to jointly determine the purposes and means of processing the same personal data.

Joint data controllers must agree which one will take primary responsibility for complying with the GDPR and to make this information available to individuals.

Despite that, all joint controllers have GDPR compliance responsibilities, and supervisory authorities and individuals may take action against a controller should those obligations not be met.

If you’re wondering how data processors fit into this – they must only act on behalf of, and follow the instructions of, the relevant controller.

It’s worth clarifying that if multiple data controllers are processing the same data but for different purposes, they are not joint controllers; they are instead two separate data controllers that happen to be performing a similar task.

Privacy as a Service

With such high stakes involved in GDPR compliance, it makes sense to look for expert advice.

Whether you’re looking for help on your data controller or processor requirements, other aspects of the GDPR or general guidance on how to boost your information security practices, our Privacy as a Service package is ideal.

Led by a team of highly experienced privacy lawyers and data protection officers, we can provide pragmatic, commercial advice on a wide range of privacy management and compliance matters when you need it and in a way that suits you.Unlimited GDPR legal advice, without the usual law firm fees -- find out more