GDPR: Data Controller vs Data Processor

As part of our series of briefings on the General Data Protection Regulation, we set out an overview of the changes to the distinction in the roles of data controllers and data processors.

Companies and individuals may face difficulties in determining whether they are a controller or processor of data. Interaction between these two concepts is of paramount importance, as it imposes obligations in terms of liability. This piece is to try and help you determine which type you are.

What is a Data Controller?

The Data Controller is the person or legal entity which sets up the objectives and means of processing personal data and who is in charge of establishment and management of the data filing system. Data Controllers can be companies, Government departments and voluntary organisations.  Individuals can also be controllers of data, for example General practitioners, pharmacists, politicians and sole traders all apply.

What is a Data Processor?

A Data Processor is a person or legal entity, which processes personal data based on the authority given by and on behalf of the data controller. Any company that holds and processes data but do not exercise the responsibility for or control over the data are processors. Data Processors are contracted to provide a particular data processing service, for example a tax adviser, telemarketing company and companies who deal with payroll.

What are the responsibilities of the Data Controller?

The Data controller shall be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data. These are: lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data.

According to Article 24 from the EU GDPR, “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”

What are the responsibilities of the Data Processor?

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”

This means that if any EU or non-EU company wants to stay in business, as controller or processor, it will have to implement the necessary controls to ensure that they comply with the EU GDPR, because the fines can be applied to both controllers and processors. According to Article 83, fines shall be imposed regarding “the degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them.”

Gregory Olczyk

Gregory Olczyk