GDPR Data Controller vs Data Processor
The EU's General Data Protection Regulation (GDPR) establishes what's known as "data controllers" and "data processors". Although similar in many ways, controllers and processors have different roles and responsibilities when it comes to collecting, handling, and sharing personal data.
Below, we consider the main similarities and differences between GDPR data controllers and data processors, and how you can determine whether you're a controller or processor for GDPR purposes.
Get compliant today with PrivacyPolicies.com
Select one of our generators to create the required legal agreements for your business:
- Our Privacy Policy Generator can help you generate a customized Privacy Policy in around three minutes, for free.
- Our Terms & Conditions Generator can help you generate a customized Terms & Conditions agreement in around three minutes, for free.
- Our EULA Generator can create a customized End-User License Agreement for your mobile or desktop app.
- Our Cookies Policy Generator can create a customized Cookies Policy to help your compliance with ePrivacy Directive and GDPR.
- Our Disclaimer Generator can create a disclaimer or disclosure for your website.
- Our Return & Refund Policy Generator can help your ecommerce store by creating a returns or refunds policy.
Integrate a free Cookies Notice and Cookie Consent banner to comply with the EU ePrivacy Directive and the new GDPR law regarding cookies.
- 1. Determining Whether You Are a Controller or Processor
- 2. Important Definitions from the GDPR
- 2.1. Personal Data
- 2.2. Processing
- 2.3. Consent
- 2.4. Personal Data Breach
- 3. What is a Data Controller?
- 3.1. Data Controller Responsibilities
- 3.2. Examples of Data Controllers
- 4. What is a Data Processor?
- 4.1. Data Processor Responsibilities
- 4.2. Examples of Data Processors
- 5. Requirements for Each Role
- 5.1. Data Protection By Design
- 5.2. Record Keeping
- 5.3. Reporting Requirements
- 5.4. Data Security
- 5.5. Notification of Data Breaches to Affected Individuals
- 5.6. Data Protection Impact Assessments
- 5.7. Data Protection Officers
- 5.8. Cooperation With Supervisory Authorities
- 5.9. Liability
- 6. Summary
Determining Whether You Are a Controller or Processor
To determine whether you're a GDPR data controller or GDPR data processor, think about your data processing activities.
If you have control over what data is processed and why it is processed, then you are a controller. If you have no control over the type of data or purposes of collection, you are a processor.
Remember, although GDPR data processors may make some technical decisions regarding how data is processed, they must act in accordance with another party's instructions. Only a data controller has the authority to determine what data is collected, the purposes of collection, and how it is processed.
In some cases, you can be both a controller and processor. For example, say you're processing payroll data on behalf of a small business. If you have your own staff and payroll to manage, then you're a controller for your own company's data, and you're also acting as a processor over another data set.
Important Definitions from the GDPR
Before moving on, it's important to understand some key terminology used throughout the GDPR. These definitions can be found in Article 4 of the GDPR but here is a summary of some of the most important ones for our purposes.
Personal Data
Both data controllers and processors take responsibility for personal data. Article 4 (1) of the GDPR defines personal data as essentially any piece of data which can be used to identify a specific person (the "data subject").
Processing
Article 4 (2) defines processing as any action taken on personal data. Any activity performed on the data counts as processing but examples include collecting, storing, retrieving, erasing, and sharing the data.
Consent
Under the GDPR, you may need consent to process personal data. The GDPR requires that consent must be specific, informed, clear, and freely given. It requires an affirmative or positive action taken by the data subject e.g. clicking a checkbox.
Personal Data Breach
Article 4 (12) defines a data breach as essentially a leak which results in the loss, destruction, disclosure, or amendment of personal data.
We will define other key terms, such as data controllers and processors, below.
What is a Data Controller?
According to Article 4 (7), a data controller determines:
- Why personal data should be collected
- What personal data is collected
- How this data should be processed
In other words, the controller assumes overall responsibility for the personal data gathered and processed. They are the ultimate decision-makers who determine why data is being collected and how it should be used.
As set out in Article 4 (7), data controllers can be individuals such as self-employed persons or sole traders. They can also be businesses, public authorities, or agencies. What they all have in common is that they're setting parameters for how data should be processed in line with applicable privacy laws.
Data Controller Responsibilities
We will cover a data controller's main duties below, but here is a summary of their major responsibilities:
- Controllers make decisions regarding data processing activities
- They must demonstrate full compliance with GDPR privacy rules
- A controller must exercise responsible judgment around how to use, share, store, and erase personal data
- If there's a data breach, GDPR data controllers have special reporting obligations as they're in overall charge of the data
- Data controllers must perform Data Protection Impact Assessments to demonstrate compliance
- All data controllers must keep records of their data processing activities
- Alongside their other legal obligations, data controllers must fully cooperate with Member State authorities and other relevant bodies
Examples of Data Controllers
To make the role clearer, here are some examples of organizations acting as data controllers.
Say you are a beauty salon. You collect personal data from your clients including names, contact details, and financial details for processing payments.
Although you might store this data in a third-party application or automated system, you're still in overall control of the data and you can determine what data to collect, share, or erase. You're also responsible for the data's security.
Or, perhaps you are a small business owner. You collect data on your employees, such as their names, addresses, and bank details, to run your payroll. Again, although you might use accounting software to manage this data, you're still the controller because you're determining the data you collect, how it's used, and how it's shared.
Companies can also act jointly to decide how sets of personal data should be processed. In such scenarios, they are known as joint controllers.
What is a Data Processor?
A data processor is defined in Article 4 (8) as a person, company, or other body responsible for processing personal information on behalf of the GDPR data controller:
Meaning, the data processor is not the one responsible for determining what data should be collected or how it's used. They can only process data in line with the data controller's instructions.
Data Processor Responsibilities
GDPR data processors have various responsibilities which we'll explore in more detail, but they include:
- Acting in line with a data controller's instructions outlined in a formal contract
- Securing personal data in their possession at a given time
- Complying with GDPR privacy rules and obligations
- Keeping records of data processing actions
- Reporting data breaches to affected GDPR data controllers
- Cooperating with Member State authorities
Examples of Data Processors
The role of a data processor varies considerably, but here are some examples of when a company or individual is acting in a data processing capacity.
Returning to the example above, a beauty salon uses management software to handle its clients' personal data. The management software company processes personal data in line with the beauty salon's requirements. They can't share, use, or process the data in any way which contravenes their agreement with the salon.
The accounting software company processing data on behalf of the small business owner above is the processor. Again, they're processing data received from the controller, but they have no control over how it's used or shared. They don't make decisions regarding the data and they must dispose of it if so requested by the controller.
Now that we've covered the main distinctions between GDPR data controllers and processors, let's consider the different roles they play, and the responsibilities they have, in more detail.
Requirements for Each Role
Data Protection By Design
Under Article 25, the controller must implement sufficient measures to ensure GDPR compliance during all data processing activities. This includes ensuring they collect data only in line with GDPR principles:
Data processors have no such responsibilities.
Record Keeping
Article 30 outlines the record keeping responsibilities which apply to controllers and processors.
Controllers should keep a record of processing activities which shows:
- Controller name and contact details
- Purposes of processing
- Categories of personal data
- Categories of recipients of the data
- Details of third country transfers
- Expected time limits for erasure
- Security measures implemented
Processors should produce similar records although there's no need to record projected time limits, or describe categories of personal data.
These record keeping requirements do not apply to processors or controllers with less than 250 employees unless the data is especially sensitive:
Reporting Requirements
According to GDPR Article 33, controllers usually have 72 hours to report data breaches to a supervisory authority from the moment they become aware of the breach, unless the risk to data subjects is minimal:
Processors must report data breaches to controllers "without undue delay" although no time limit is specified. There's no requirement to report to supervisory authorities.
Data Security
Article 32 states that both processors and controllers must implement measures to secure personal data in their possession. The measures should be proportionate considering the costs involved, the purposes of processing, the scope of the processing, and the risks of harm to data subjects.
Special consideration should be given to the risks of unauthorized action or the destruction, loss, or alteration of the data.
In this respect, there's no difference between processors and controllers. They're both equally responsible for safeguarding personal data in their possession.
Notification of Data Breaches to Affected Individuals
According to Article 34, controllers must communicate, in plain language, any data breaches to affected individuals if there's a risk of harm to these data subjects. It may sometimes be more appropriate to post a public notice if contacting people individually is disproportionately difficult:
Article 34 does not impose similar obligations on data processors.
Data Protection Impact Assessments
Under Article 25, data controllers should perform data protection impact assessments if they're performing any activity which could result in a high risk to data subjects. This may apply, for example, if the controller handles special categories of data or they're using new technologies for the first time.
The assessment should set out:
- A description of the operation
- The purpose of processing and any relevant legitimate interest
- A risk assessment of how the processing could affect data subjects
- Why the processing is proportionate and necessary
- The security safeguards which will be implemented
As processors have no overall control of the data and they're acting according to a controller's instructions, they have no such requirement to perform data protection impact assessments.
Data Protection Officers
If you're a public body, process monitored data on a large scale, or handle certain categories of data e.g. data relating to criminal records, you should appoint a Data Protection Officer whether you're a controller or a processor, according to Article 37.
There's no real difference here between data processors or controllers in terms of what is required.
Cooperation With Supervisory Authorities
Both GDPR data controllers and processors must comply with requests and orders made by supervisory authorities i.e. the regulatory bodies responsible for ensuring GDPR compliance across Member States.
There's no significant difference here between what's expected of controllers or processors. However, controllers may be subject to more comprehensive investigations as they're ultimately responsible for a data set.
Liability
There are clear differences in what processors and controllers can be held liable for.
Data processors are liable to controllers if they breach the terms of their service contract. This could mean they may also face fines or other penalties for acting beyond the scope of their authority or violating the GDPR.
Data controllers are liable if they breach the GDPR or, as per Article 28 of the GDPR, they fail to exercise due care when choosing data processors.
They might also be liable if they don't have a valid service contract in place with their data processors (again, as per Article 28).
Summary
The GDPR establishes two key roles: data controllers and data processors. Data controllers and processors both handle personal data, but their roles and responsibilities are quite different.
Data Controllers:
- Unlike processors, GDPR data controllers decide what data to collect, the purposes for data collection, and how it can be used and shared.
- They have more legal responsibilities than processors, with greater reporting requirements and security obligations.
- Controllers, unlike processors, must perform impact assessments and implement data protection by design.
Data Processors:
- Unlike controllers, data processors have very limited control over a data set. They can only act in accordance with a controller's instructions.
- Data processors are accountable to processors if, for example, there's a data breach.
- Like controllers, data processors have some reporting obligations but they are not as strict or far-reaching.
