Who’s Who in the GDPR: controller versus processor

Aug 9, 2018 12:00:00 AM | GDPR Explained Who’s Who in the GDPR: controller versus processor

To protect the rights of the data subjects it is crucial to determine the controller and processors for data processing activity, as these individuals or teams can be held accountable for activities regarding difference stages of data management. Considering the complex business structures in today’s world, the legal obligations attached to these two roles can be misinterpreted. Although controller and processor roles seem similar at first, they in fact have distinct features and distinct legal obligations and each can be aided by the use of effective GDPR compliance software. This blog post briefly summarises the two concepts and describes the differences in obligations between the two roles.

What is a Data Controller in GDPR?

As its name would suggest, a data controller is the natural or legal person, public authority, agency or other body which alone or jointly with others determine the purpose and means of a data processing activity.

What is a Data Processor in GDPR?

A data processor is the natural or legal person processing personal data on behalf of the controller. Processors may only process personal data based on the documented instructions from the controller. Thus, for a particular processing activity, you can never have both roles at once: you are either a controller or a processor.

However, it is very likely that you will have both roles for different processing activities. For instance, for the salary administration of its employees, your organisation will be the controller. However, for software services offered to other organisations, your organisation will probably be a processor. Privacy data mapping exercises and GDPR compliance software can help identify and manage further differences dependent on how a business is setup.

What are the differences between a controller and a processor?

First, the data controller has the primary responsibility in complying with data subject requests. The controller executes or co-ordinates the execution of data subject rights such as the right to access and the right to erasure (and many more, under art. 15-22).

Second, the data controller determines purpose of the processing activity. The data controller is the main decision maker of the personal data. The obligations related to the legitimate purpose of the processing, ensuring the processing has a well-defined, concrete aim and a proper legal basis, are imposed on the controller.

Third, the data controller is responsible for engaging only processors that take sufficient technical and organisational measures, so that the processing will meet the GDPR's requirements and thus protect the rights of the data subject. This has to be arranged by a contract (a processing agreement) or a different legal act. Requirements that should be included in the contract are explicitly mentioned under Article 28.

It's important to note that according to art. 28(4), the processor has to fulfil the same requirement with respect to processors it engages - we call these subprocessors. The obligations applying to the main processor also apply to the subprocessors. Subprocessors also need to implement appropriate technical and organisational measures in such a manner that the processing is in line with the GDPR (including the using of compliance software). However the primary processor retains full liability for the subprocessors engaged (art. 28(4)).

There are also several differences between controllers and processors with regard to the administrative obligations under the GDPR:

  • Art. 30 requires an inventory of processing activities. The exact data required varies between controllers and processors: less detail is needed in the records held by processors.
  • Art. 33 and 34 regard data breaches. The controller is responsible for notification to the supervisory authority or the data subject, but the processor should notify a breach without undue delay to the controller.
  • Art. 35 and 36 regard data protection impact assessments and prior consultations. These are closely related to the determination of means and purpose of the processing activity, and therefore are obligations applying to the controller.

How do data controllers and data processors fit into the GDPR system?

The GDPR requires a strong contractual link between processors and subprocessors. Although obviously in many cases the controller has the leading role, the system of the GDPR allocates legal obligations to the data processor and subprocessors to create a 'watertight system' avoiding leakage of accountability.

The GDPR's system functions as a 'perpetual clause': controller assigns obligations to processor, who on its turns has to assign the same obligations to any subprocessor, and so forth, ad infinitum. Responsibility and accountability cannot be escaped from anywhere in the controller-processor chain. Being aware of these two concepts and their differences will help your organisation to identify its legal obligations and will provide guidance for the future personal data processing activities.