Data Controller vs. Data Processor

By: Ali Talip Pınarbaşı, CIPP/E, & LLM Ali Talip Pınarbaşı, CIPP/E, & LLM | Updated on: July 6, 2022

Try Termly for Free
Data-Controller-vs-Data-Processor-01

The way organizations use and store personal data has been scrutinized for many years, and the pressure to responsibly handle it will only mount as more consumers become aware of how precious their data is.

This need for responsibility is where data controllers and data processors come in.

Read on to learn the differences between a data controller vs. a data processor.

Table of Contents
  1. What Is a Data Controller?
  2. What is a Data Processor?
  3. Data Controller vs Processor: Differences and Similarities
  4. Which Laws Require Them?
  5. Summary

What Is a Data Controller?

According to the General Data Protection Regulation (GDPR), data controllers are responsible for the personal data collected by a company or organization. A data controller is a person — or entity — that makes high-level data decisions.

The controller defines and decides what a data processor does — if the two are separate people or organizations.

How To Tell if You’re a Data Controller

In some circumstances, it may be hard to know whether you are a data controller or data processor.

For example, if an app processes payment data via Stripe or ApplePay and stores card details on the user device, is this mobile app the data controller or data processor?

The UK Data Protection Authority recommends that organizations consider the following checklist to decide if they are data controllers:

☐ We decided to collect or process the personal data.

☐ We decided what the purpose or outcome of the processing was to be.

☐ We decided what personal data should be collected.

☐ We decided which individuals to collect personal data about.

☐ We obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller.

☐ We are processing the personal data as a result of a contract between us and the data subject.

☐ The data subjects are our employees.

☐ We make decisions about the individuals concerned as part of or as a result of the processing.

☐ We exercise professional judgement in the processing of the personal data.

☐ We have a direct relationship with the data subjects.

☐ We have complete autonomy as to how the personal data is processed.

☐ We have appointed the processors to process the personal data on our behalf.”

The more boxes you check, the more likely you are a data controller.

Responsibilities of a Data Controller

Since data controllers enjoy such a high control over the collection, use, and processing of personal data, they bear the highest level of responsibility for compliance with the various requirements imposed by the GDPR.

For example, data controllers must comply with the following GDPR requirements:

  • They must identify and document a lawful basis under Article 6 of the GDPR to justify that they legally collect and process personal data.
  • They must ensure that personal data is protected by appropriate security measures such as encryption and access controls.
  • They must comply with the main principles of the GDPR, such as accountability, fairness, and transparency.

If a data controller fails to satisfy GDPR requirements, it may face two risks:

Risk #1: Regulators may bring legal action and impose fines for non-compliance

For example, Whatsapp is a data controller because it collects phone numbers for its own purposes and decides the means of processing. They faced a GDPR fine of €225m in Ireland because its privacy policy failed to meet transparency requirements.

Risk #2: Data subjects can bring legal action and ask for damages

When a data controller processes individuals’ personal data in a non-compliant way, individuals can also sue data controllers for damages.

Examples of a Data Controller

A data controller can be an individual, an entity, a charity, or a government agency. Sometimes they will take on the role of a data processor as well.

For example, when a business uses Google Workspace for internal communication and collaboration, that business will be the data controller, and Google is the processor.

What is a Data Processor?

The GDPR says that a data processor is a person or organization that processes data according to the bidding of a data controller.

In an organization’s everyday operations, the data controller sets the rules, and the data processer plays by those rules.

Responsibilities of a Data Processor

Article 4 of the GDPR states:

“‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

A data processor collects, stores, or deletes incoming personal data according to guidelines set by a data controller, who, in turn, should be following GDPR guidelines.

The processor designs, creates and implements tech solutions for capturing personal data and security measures to safeguard this data. In addition, the processor is in charge of storing personal data and transferring data to other organizations as defined by the controller.

Since data processors do not control purposes and means of processing, their responsibilities under the GDPR are limited. However, some of the GDPR obligations still apply to data processors:

  • Processors must comply with the security requirements set out by Article 32 GDPR.
  • Processors must enter into a data processing agreement if they use their own processors to provide their services. Furthermore, these sub-processor agreements should reflect the obligations imposed on the main processor.
  • Data processors may have to keep records of processing activities under Article 35 GDPR.
  • Data processors have certain obligations under article 46 GDPR concerning international data transfers.

Like data controllers, data processors can also face regulatory action for non-compliance with the GDPR. Furthermore, data subjects may also bring claims against data processors.

Examples of a Data Processor

Much like data controllers, data processors can be individuals or business entities.

Imagine your company is having a big holiday celebration and inviting all its clients. The company enlists an outside printing business to create invitations. The printing business receives a list of client names and addresses.

In this situation, the GDPR would consider the printing business a data processor because it uses personal data as dictated by instructions from the data controller.

Data Controller vs Processor: Differences and Similarities

Data controllers and data processors focus daily on the same terrain – personal data. However, their roles are very different, as well as their responsibilities. Regarding data, the GDPR sees data controllers more like the generals, while data processors are the foot soldiers.

Data Controllers Data Processors
Defines how data is processed – always thinking about what data processors do Processes data according to controller guidelines
Makes key decisions about data:

  • What data will be collected
  • Whose data will be collected
  • For what goals this data will be used
  • By what means this data will be processed
Follows data rules set by controller

Can One Person Be Both a Data Controller and Data Processor?

There are overlaps between what data controllers and processors do. The main difference between the two roles is hierarchical. In any organization, the day-to-day business of the two positions would be deeply intertwined.

The GDPR allows for dual roles for individuals, businesses, and other organizations. For example, in some cases, you might serve as the data controller for one organization and be the data processor for another.

Even if a third-party vendor or other organization always or occasionally serves in this dual role, it is crucial to understand how the data processor and data controller positions differ and why.

Which Laws Require Them?

The GDPR is currently the strictest data privacy law on the planet, and it impacts any organizations dealing with data from people in the EU. Because of this, you should follow the roles outlined in Article 4 of the GDPR the most closely.

However, your nation or state might have data privacy laws that differ in some ways from the GDPR. Therefore, if your organization deals with data in any way, you should research what local, national, and international laws dictate.

Even if an organization is US-based, there are still data privacy laws to consider.

While not on the same level as the GDPR, the Federal Trade Commission Act charges the FTC in the US to enforce rules about data privacy, including situations where an organization fails to follow its own published data privacy policies.

Additionally, the Children’s Online Privacy Protection Act (COPPA) prohibits data collection on children under the age of 13.

Data Controllers and the Law

As the name suggests, data controllers hold the most responsibility per the GDPR because they are ultimately in charge of personal data for an organization.

Fines for noncompliance with the GDPR are set case-by-case but can become pretty hefty. Maximum penalties are calculated as a portion of a non-compliant organization’s annual global turnover. The maximum fine can range from 4% of turnover or 20 million euros, whichever is higher.

For more minor infractions, fines can range from the higher of 2% of global turnover or 10 million euros.

As a data controller, you must always select a data processor that is compliant with the GDPR. Your organization will be held at fault in the end.

Additionally, you must have an agreement dictating what will happen with personal data if a contract terminates between a data controller and a processor.

Data Processors and the Law

Data processors might be less in control of decisions regarding personal data. Still, a data processor that does not keep focused on the GDPR will not be of use to many organizations. This is because the GDPR empowers courts to levy fines against data processors, not just data controllers.

While a data processor should collect, store, and dispose of personal data on behalf of a data controller, you should also strive to maintain an accurate activity record. Not only is this required by GDPR standards, but it is also likely the best practice of your data controller.

If courts in the EU investigate a breach or other instance of noncompliance with the GDPR, the data processor will be subject to investigation, as will the data controller.

Summary

Personal data is precious, both to the people it belongs to and the organizations that want to collect, study, and store it. The GDPR asserts how vital data is, and data controllers and data processors must understand their roles’ importance.

Fundamentally, it is vital to understand the distinction between data controlling and data processing. Then you know what person or organization is making data decisions and who is carrying out data policy with every click.

Ali Talip Pınarbaşı, CIPP/E, & LLM
More about the author

Written by Ali Talip Pınarbaşı, CIPP/E, & LLM

Ali is a London-based Data Privacy Law Consultant with a Master of Laws Degree in EU Privacy law at King's College London. He has three years of experience in advising businesses on how to comply data protection laws. More about the author

Related Articles

Explore more resources