All-in-one Risk Management Platform

Am I a Data Controller or Data Processor?

When it comes to GDPR compliance, data controllers and data processors are important figures. Here’s how to determine which one your business would be considered.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.

Am I a Data Controller or Data Processor?

The two key roles within the GDPR are the data controller and data processor. Understanding one's company's position is crucial for firms that want to maintain regulatory compliance.

We'll discuss what a data processor and data controller are in this article, as well as lead you through various questions that may be used to ascertain whether your business falls under the category of a data processor or data controller. Let's begin by defining a few important key terms.

What is a Data Controller?

A data controller is responsible for deciding the purpose and method of processing personal data. Therefore, your organization is the data controller if it is responsible for determining why and how any personal data should be processed. Employees who work for your company and process personal data are doing so to carry out your company’s duties as the data controller.

When you and one or more other organizations decide jointly "why" and "how" personal data should be handled, your business is a joint controller. Joint controllers are required to put into a contract outlining their individual obligations for adhering to GDPR regulations. The individuals whose data is being processed must be informed of the arrangement's key components.

What is a Data Processor?

A data processor is, obviously, responsible for processing data. Only on behalf of the controller does the data processor handle processing of personal data. The data processor is typically an outside party to the business. However, when there are multiple projects, one of them may serve as the processor for another.

A contract or other piece of written legal documentation must outline the obligations of the processor toward the controller. For instance, the contract needs to specify what happens to the personal data once it expires. Processing companies frequently provide IT solutions, such as cloud storage. Only after receiving prior written consent from the data controller may the data processor assign a portion of its work to another processor or name a joint processor.

There are many scenarios in which a business entity can be a data processor, a data controller, or even both at the same time. Let’s explore how to figure out where your company stands.

“Saved our business.”
"Easy to use!"
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Get Started Today
Join over 17,000 companies who trust Accountable.

How to Determine if Your Organization is a Data Controller

The entity that chooses the objectives and tools for processing personal data is known as the data controller. To put it simply, you determine what to do with the data and for what purpose.

Any information that could be used to identify a European citizen is considered personal data. It contains fundamental ID data such as names, addresses, phone numbers, license numbers, credit card information, and online identifiers like usernames. Additionally, it contains delicate personal information including genetic and biometric data.

So, let's assume you manage an online store. You'll gather customer ID, contact, and payment information. This is primarily being done to carry out commands, which is very evident! You might also have additional goals in mind, such as projecting future sales and informing current clients of new offers. The "method of processing" in this illustration could be a CRM system that is cloud-based.

A controller may be a business or other legal body, such as a partnership, association, or government agency that has been incorporated, as well as a person, including a self-employed professional. However, the GDPR does not apply to someone who processes personal data for strictly domestic or private purposes.

Questions to ask:

  • Does my organization decide where to collect personal data?
  • Does my organization have a lawful basis to collect personal data?
  • What types of data do we collect?
  • Which individuals in our business collect data?
  • Do we disclose any of that data to our consumers and clients?

How to Determine if Your Organization is a Data Processor

A fairly broad word, "data processing" primarily refers to anything done to or with personal data. You could manually or automatically gather information, analyze it, use it for marketing or research, or store it on someone else's behalf. You are "processing" that data in each and every one of these scenarios.

Under the GDPR, "processor" has a very specific definition. This refers to a person or organization who processes personal data on the data controller's behalf but is independent of the data controller (i.e., not an employee). In other words, the processor completes the task assigned to it by the controller.

Let's go back to the e-commerce business scenario. On its products, it provides an extended warranty duration. It has made the decision to maintain all consumer purchase records for a period of three years in order to keep track of any claims that may result from this. It employs a business to use an online archive system to keep this data on its behalf. This business serves as the "data processor" for the e-commerce corporation.

Questions to ask:

  • Does my organization decide which IT systems or tools are used to collect personal data?
  • Do we decide how to store personal data?
  • Do we keep details of our security measures to protect personal data?
  • Do we determine how to transfer personal data from our organization to third-party organizations?
  • Do we decide how to retrieve personal data, how to adhere to a retention schedule, or how to delete or dispose of personal data?

We recommend looking at your organization through the lens of a scale of responsibility. If an organization processes consumer data, then it would be considered a data processor in most scenarios. However, if that same organization controls the data they process and uses it for any reason (marketing, client research, etc.) then it would also be considered a data controller.

Examples of Data Controllers, Data Processors, and Joint Controllers

Situation 1:

There are numerous workers in a retail business. To pay the workers, it enters into a contract with a payroll service. When an employee leaves or receives a pay raise, the retail company notifies the payroll provider, and it also gives all the necessary information for the salary slip and payment. The IT system is provided by the payroll provider, who also maintains employee data. The payroll firm is the data processor, whereas the retail company is the data controller.

Situation 2:

Through an internet portal, your business provides house cleaning services. In addition, your business has a contract with another business that enables you to provide value-added services. These services give customers the option to rent various pieces of deep-cleaning equipment, such shop vacs, in addition to selecting the house cleaner. The technical foundation of the website is shared by both businesses. In that situation, the two businesses have chosen to use the platform for both activities (renting cleaning equipment and providing house cleaning services) and frequently share client names. As a result, the two businesses are joint controllers since they not only consent to the prospect of providing "mixed services," but also create and employ a single platform.

Like what you see?  Learn more below

When it comes to GDPR compliance, data controllers and data processors are important figures. Here’s how to determine which one your business would be considered.
How to Respond to a Breach or Cyberattack
CMIA (California Confidentiality of Medical Information Act)
What is a HIPAA Compliance Checklist?
Ten Common HIPAA Compliance Mistakes and Effective Strategies for Mitigation
Safeguarding Your Business: Preventing a Data Incident
What is Personal Data under the GDPR?
Streamlining the Employee Off-boarding Process
Traits and Responsibilities of a GDPR Data Controller
ISO 27001 vs HIPAA
Complying with Texas HB300
Contractors Under CCPA/CPRA
Why was the CCPA Introduced?
HIPAA IT Compliance Checklist
How to Secure Your Company's Email Communication: Best Practices and Strategies
Complying with ISO 27001: Strategies and Best Practices
GDPR Compliance for Startups
What is Personal Information Under the CPRA?
Steps to Ensure Operational Resilience
The CCPA Do Not Sell Requirement
Am I a Data Controller or Data Processor?
Service Providers Under CCPA/CPRA
Why Security Does Not Equal Data Privacy
What Does PHI Stand For?
Common GDPR Compliance Mistakes & Pain Points
"Likely to Result in Risk" Under GDPR
Key Elements of a Data Processing Agreement
What Is a Data Processor?
What is a Business Associate Subcontractor?
What You Need To Know About Browser Cookies
How Long Should You Retain Personal Data?
Operational Risk Management
ADPPA Preview
What is a Data Controller?
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
What You Need to Know About Data Encryption
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Comply With the HIPAA Security Rule
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
Five Principles of Risk Management
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)