GDPR Basics: Data Controller vs Processor

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations that process the personal data of individuals in the European Union (EU).

Under the GDPR, there are two main concepts to understand when it comes to data processing: data controllers and data processors.

A data controller is a person or organization that determines the purposes and means of processing personal data. This means that the data controller decides why and how the personal data will be used. Some specific responsibilities of data controllers under the GDPR include:

1. Ensuring that the processing of personal data is lawful, fair, and transparent. This includes obtaining appropriate consent from individuals for the processing of their personal data, or relying on another legal basis for processing.
2. Ensuring that personal data is collected for specified, explicit, and legitimate purposes, and is not further processed in a manner that is incompatible with those purposes.
3. Ensuring that personal data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
4. Ensuring that personal data is accurate and, where necessary, kept up to date. Data controllers must take reasonable steps to erase or rectify personal data that is inaccurate or incomplete.
5. Implementing appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, and against accidental loss, destruction, or damage.
6. Responding to requests from individuals to exercise their rights under the GDPR, such as the right to access, rectify, erase, or restrict the processing of their personal data.
7. Keeping records of processing activities, and making them available to the supervisory authority upon request.
8. Undertaking data protection impact assessments and consulting with the supervisory authority in cases where the processing is likely to result in a high risk to the rights and freedoms of individuals.
9. Appointing a data protection officer, where required.

‍

A data processor is a person or organization that processes personal data on behalf of a data controller. This means that the data processor carries out the actual processing of the data, but does so at the direction of the data controller. Some specific responsibilities of data processors under the GDPR include:

1. Processing personal data only in accordance with the instructions of the data controller, and not using the personal data for any other purposes.
2. Ensuring that appropriate technical and organizational measures are in place to protect personal data against unauthorized or unlawful processing, and against accidental loss, destruction, or damage.
3. Appointing sub-processors only with the prior written authorization of the data controller and ensuring that the sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures.
4. Implementing appropriate measures to assist the data controller in fulfilling its obligations to respond to requests from individuals to exercise their rights under the GDPR, such as the right to access, rectify, erase, or restrict the processing of their personal data.
5. Providing the data controller with all information necessary to demonstrate compliance with the GDPR and allowing for and contributing to audits, including inspections, conducted by the data controller or an auditor mandated by the data controller.
6. Taking all appropriate steps to ensure the security of processing, including the pseudonymization and encryption of personal data.
7. Reporting any personal data breaches to the data controller without undue delay and taking all appropriate measures to address the breach and mitigate its potential adverse effects.

‍

It's important to understand the difference between data controllers and data processors, as they have different responsibilities under the GDPR. Data controllers are ultimately responsible for ensuring that the processing of personal data is carried out in a lawful and fair manner, while data processors are responsible for carrying out the processing of the data on behalf of the data controller.

Under the GDPR, it is possible for an organization to be both a data controller and a data processor at the same time. This is because the roles of data controller and data processor are independent of each other and can exist simultaneously within the same organization.

For example, consider an organization that runs an online marketplace. In this case, the organization may be a data controller for the personal data of its own employees, as it determines the purposes and means of processing this data. At the same time, the organization may also be a data processor for the personal data of its customers, as it processes this data on behalf of the customers when they make purchases on the marketplace.

In summary, a data controller is the person or organization that determines the purposes and means of processing personal data, while a data processor is the person or organization that carries out the actual processing of the data on behalf of the data controller. Both data controllers and data processors have important responsibilities under the GDPR to protect the personal data of individuals and ensure that it is processed in a lawful and fair manner.