One of the first things they teach at law school is to understand what obligations and responsibilities someone has in any given situation. Knowing who’s who in any relationship is crucial, especially when something goes wrong.
When it comes to GDPR, understanding who your organization is translates into knowing what your rights and obligations are in regards to the holding and processing of personal data.
According to GDPR, organizations need to understand the difference between data controllers and data processors. Depending on which of these your organization falls under, GDPR sets obligations and limits to what you can do with the personal data, and who is responsible for what.
What is a Data Controller?
A data controller presents a central figure when it comes to protecting the rights of the data subject (a.k.a. the individual).
The data controller, as its name implies, controls the overall purpose and means, or the ‘why’ and ‘how’ the data is to be used.
The data controller can also process the data by its own means. There may be situations, however, where a data controller needs to use an external service to process the data further.
In this case, the data controller allows another company to process the personal data. This does not entail that the data controller gives “control” to another organization. The data controller remains in control by instructing the purpose and ends to which that company can process the data.
These situations proliferate in today’s interconnected economy. This also indicates why we must also clarify the role of the data processor.
What is a Data Processor?
As we have just seen, the data controller can use an external organization to carry out the processing of the data it controls. These organizations that process the data on behalf of the data controller are called data processors.
Importantly, the data processor does not control the data and cannot change the purpose or use of the particular set of data. The data processor processes the data only according to the instructions and purpose given by the data controller.
Envision the data processor as a specialized technical partner, appointed to carry out specific tasks to accomplish the goals set by the data controller.
Why is this distinction important?
In a perfect world, the data controller and data processor would know exactly their roles and the communication between them would be seamless. Unfortunately, reality often diverges from this ideal. Therefore GDPR establishes a framework and roles in case problems arise.
A common example where one must recall one’s role arises during a data breach. In such a case, the companies that suffered a breach must ensure that they have all acted accordingly within the limits of their responsibilities.
OK, so what?
In today’s business world you should understand that almost all businesses outsource some part of the processing to an external data processor. As a data controller, one must ensure that the data processor(s) remain aware of their GDPR obligations.
As a common recommendation, confirm that there exists a clear and specific data processing agreement before handing over the processing to a third party. You should know the overall structure of your company’s involvement in the particular data being handled.
How do I know if I am a data controller or a data processor?
As in many areas of our lives, things may not always appear black and white. In some particular cases, there may exist grey areas that would need additional legal expertise to clear things up.
While getting started, consider glancing at the quick guide below. It will help you understand your role when handling personal data.
You may be a data controller if your organization decides:
- to collect the personal data and has the legal basis for doing so;
- which items of personal data to collect;
- to modify the data;
- the purpose or purposes the data are to be used for;
- whether to share the data, and if so, with whom;
- how long to retain the data.
Your organization may be a data processor if it receives instructions by a data controller to carry out some of the following tasks:
- implement IT systems or other methods to collect personal data;
- use certain tools or techniques to collect personal data;
- install the security surrounding the personal data;
- store the personal data;
- transfer the personal data from one organization to another;
These lists are not exclusive and grey areas (a.k.a. uncertainties) may arise. We hope that this article has helped you understand a bit better the distinction between a data controller and data processor.
It is a distinction that can help you understand your organization’s role once GDPR comes into force. If you still experience doubts or concerns, we always recommend that you consult with a legal expert on the matter.
Still need more clarification on GDPR? We’ve taken 7 other common misconceptions on GDPR and debunked them in this article.