The two key roles within the GDPR are the data controller and data processor. Understanding one's company's position is crucial for firms that want to maintain regulatory compliance.
We'll discuss what a data processor and data controller are in this article, as well as lead you through various questions that may be used to ascertain whether your business falls under the category of a data processor or data controller. Let's begin by defining a few important key terms.
A data controller is responsible for deciding the purpose and method of processing personal data. Therefore, your organization is the data controller if it is responsible for determining why and how any personal data should be processed. Employees who work for your company and process personal data are doing so to carry out your company’s duties as the data controller.
When you and one or more other organizations decide jointly "why" and "how" personal data should be handled, your business is a joint controller. Joint controllers are required to put into a contract outlining their individual obligations for adhering to GDPR regulations. The individuals whose data is being processed must be informed of the arrangement's key components.
A data processor is, obviously, responsible for processing data. Only on behalf of the controller does the data processor handle processing of personal data. The data processor is typically an outside party to the business. However, when there are multiple projects, one of them may serve as the processor for another.
A contract or other piece of written legal documentation must outline the obligations of the processor toward the controller. For instance, the contract needs to specify what happens to the personal data once it expires. Processing companies frequently provide IT solutions, such as cloud storage. Only after receiving prior written consent from the data controller may the data processor assign a portion of its work to another processor or name a joint processor.
There are many scenarios in which a business entity can be a data processor, a data controller, or even both at the same time. Let’s explore how to figure out where your company stands.
The entity that chooses the objectives and tools for processing personal data is known as the data controller. To put it simply, you determine what to do with the data and for what purpose.
Any information that could be used to identify a European citizen is considered personal data. It contains fundamental ID data such as names, addresses, phone numbers, license numbers, credit card information, and online identifiers like usernames. Additionally, it contains delicate personal information including genetic and biometric data.
So, let's assume you manage an online store. You'll gather customer ID, contact, and payment information. This is primarily being done to carry out commands, which is very evident! You might also have additional goals in mind, such as projecting future sales and informing current clients of new offers. The "method of processing" in this illustration could be a CRM system that is cloud-based.
A controller may be a business or other legal body, such as a partnership, association, or government agency that has been incorporated, as well as a person, including a self-employed professional. However, the GDPR does not apply to someone who processes personal data for strictly domestic or private purposes.
Questions to ask:
A fairly broad word, "data processing" primarily refers to anything done to or with personal data. You could manually or automatically gather information, analyze it, use it for marketing or research, or store it on someone else's behalf. You are "processing" that data in each and every one of these scenarios.
Under the GDPR, "processor" has a very specific definition. This refers to a person or organization who processes personal data on the data controller's behalf but is independent of the data controller (i.e., not an employee). In other words, the processor completes the task assigned to it by the controller.
Let's go back to the e-commerce business scenario. On its products, it provides an extended warranty duration. It has made the decision to maintain all consumer purchase records for a period of three years in order to keep track of any claims that may result from this. It employs a business to use an online archive system to keep this data on its behalf. This business serves as the "data processor" for the e-commerce corporation.
Questions to ask:
We recommend looking at your organization through the lens of a scale of responsibility. If an organization processes consumer data, then it would be considered a data processor in most scenarios. However, if that same organization controls the data they process and uses it for any reason (marketing, client research, etc.) then it would also be considered a data controller.
There are numerous workers in a retail business. To pay the workers, it enters into a contract with a payroll service. When an employee leaves or receives a pay raise, the retail company notifies the payroll provider, and it also gives all the necessary information for the salary slip and payment. The IT system is provided by the payroll provider, who also maintains employee data. The payroll firm is the data processor, whereas the retail company is the data controller.
Through an internet portal, your business provides house cleaning services. In addition, your business has a contract with another business that enables you to provide value-added services. These services give customers the option to rent various pieces of deep-cleaning equipment, such shop vacs, in addition to selecting the house cleaner. The technical foundation of the website is shared by both businesses. In that situation, the two businesses have chosen to use the platform for both activities (renting cleaning equipment and providing house cleaning services) and frequently share client names. As a result, the two businesses are joint controllers since they not only consent to the prospect of providing "mixed services," but also create and employ a single platform.