GDPR data controllers and data processors

The obligations of GDPR data controllers and data processors and explains how they must work in order to reach compliance.

Data Controllers and Processors

The introduction of GDPR has sparked questions about whether certain organizations are generally data controllers or data processors. Understanding the difference between data controllers and processors is vital for GDPR compliance.

What Does The GDPR Say About Controllers And Processors?

Since GDPR was launched in May 2018, controllers have specific obligations. In addition, processors have legal obligations of their own. This is a major difference from the original DPD legislation in 1995.

Under GDPR, the ICO and other supervisory powers can prosecute processors and controllers for any breaches. There are also specific requirements for joint controllers under GDPR.

What Is The Difference A Between Controller And Processor?

There is a clear difference between a ‘data controller’ and a ‘data processor’ according to the GDPR.

The regulation recognizes that not all organizations involved in the processing of personal data have an equal level of responsibility. The definitions of controllers and processors according to the GDPR are as follows:

Data Controller – Is a legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.

Data Processor – Is a legal or a natural person, agency, public authority, or any other body who processes personal data on behalf of a data controller.

If you are classed as a data controller or a data processor, you are responsible for ensuring that you comply with the GDPR and demonstrate compliance with the regulation’s data protection principles.

Data processors do not have the same level of GDPR compliance responsibilities.

However, they should still take appropriate organizational and technical measures to ensure that any processed data is done so in line with the GDPR.

Data Controllers

Data controllers are key decision-makers. They have the overall say and control over the reason and purposes behind data collection and the means and method of any data processing.

Some data controllers may be governed by a statutory obligation to collect and process personal data. According to Section 6(2) of the 2018 Data Protection Act, if an organization is under such an obligation and processes personal data for compliance, it will be classed as a data controller.

A data controller could be:

  • A private company or any other legal entity – Including an incorporated association, incorporated partnership, or public authority.
  • An individual person – Such as a partner in an unincorporated partnership, a sole trader, or any self-employed professional.

Are Unincorporated Organizations Data Controllers?

An organization may not have a separate legal personality of their own, for example, unincorporated organizations like voluntary groups and sports clubs. In this case, the responsible party should refer to the document that governs the management of that organization.

This document should include details about how such organizations should be managed on behalf of its members. They will likely be expected to act as the data controller or as joint data controllers.

Duties of a GDPR Data Controller

Controllers are responsible for the strictest levels of GDPR compliance. According to Article 24 of the GDPR, they must actively demonstrate full compliance with all data protection principles.

They are also responsible for the GDPR compliance of any processors they might use to process the data.

They must demonstrate fairness, lawfulness and transparency, accuracy, data minimization, integrity and storage, and full confidentiality of personal data.

According to Article 24 of the GDPR, data controllers must:

  • Take into account the purpose, nature, context, and scope of any data processing activities.
  • Consider the likelihood of any severe risk to the freedoms and rights of any natural persons.
  • Implement appropriate organizational and technical measures and security measures that demonstrate that the data processing activities have been performed in accordance with GDPR regulation.
  • Review and update these measures where necessary.

Data controllers must pay a data protection fee which a data protection officer enforces, provided they aren’t exempt.

Is Your Company a Data Controller?

Answer these questions to determine whether your organization is a data controller under GDPR.

  1. Did your organization decide to collect and process personal user data?
  2. Did your organization determine the purpose of the data processing?
  3. Did your organization decide what kind of personal data should be collected?
  4. Will your organization commercially benefit from processing the data (aside from payment for controller services)?
  5. Are the data subjects your own employees?
  6. Did your organization decide about the users concerned as part of or because of the processing?
  7. Are you properly exercising professional judgment when processing personal data?
  8. Do you have a direct connection with the data subjects?
  9. Are you solely in charge of how the data is processed?
  10. Have you outsourced data processors to process the data?

Joint Controllers

Article 26(1) of the GDPR states that data controllers can determine the purposes and means of data processing individually or jointly with another party as joint data controllers.

According to the GDPR, joint controllers have a shared purpose and agree upon the purpose and means of processing data together. However, this will not apply if the same data is being used for different reasons.

Is Your Company a Joint Controller?

Answer these questions to determine whether your organization is a joint controller under GDPR:

  1. Do you have a shared objective with other companies for the data processing?
  2. Are you processing the data for the same reason as another data controller?
  3. Are you using the same set of personal data for the processing as another data controller? For example, this could mean using the same database.
  4. Are you designing the data processing with another data controller?

Duties of Joint GDPR Data Controllers

Joint controllers have to arrange who takes the main responsibility between themselves. They are equally responsible for any security breaches, and any fines would be divided accordingly.

Examples of Data Controllers

Example 1

A doctor’s office uses an automated computer system in their waiting area to tell patients when to make their way to a consulting room.

The automated system works using a digital screen that shows the patient’s name and consulting room number. It may also use a speaker for any visually impaired patients to announce this information.

The doctor’s office will be the data controller for the personal data processed in connection with this notification system because it is in control of the purposes and means of the data processing.

Example 2

A firm hires an accountant to do their books. When acting for their client, the accountant is classed as a data controller in relation to any personal data included in the accounts.

This is because accountants and other professional service providers must work according to certain professional standards and are required to take responsibility for any personal data that they are hired to process.

For example, if the accountant discovers some malpractice whilst completing the firm’s accounts, they may be expected to report this malpractice to the police or other authorities.

If they are forced to take this action, they would no longer be acting according to their client’s instructions but according to their own professional obligations and therefore as a data controller in their own right.

Specialist service providers who process data in accordance with their own professional obligations will always be acting as the data controller. For this reason, they are not permitted to hand over or share data controller obligations with their client.

Data Processors

A data processor can be a company or any other legal entity or an individual. Even though data processors make their own operational decisions, they will act on behalf of and under the authority of the relevant data controller.

According to Article 29 of the GDPR, a data processor must only process personal data according to the data controller’s instructions unless required to do so by law.

Individual users can file compensation claims and damages against both data controllers and data processors. If a data processor goes against the data controller’s instructions, they will be liable for any data breaches. Therefore, data processors must always ensure that they are complying with the GDPR guidelines.

Are Employees Classed As Data Processors?

Employees of the data controller are not classed as data processors. As long as an individual is acting within the scope of their employment duties, they act as an agent of the data controller.

In other words, the GDPR will class them as part of the controller and not as not a separate party who is contracted to process data on behalf of the data controller.

Is Your Company A Data Processor?

Answer these questions to determine if your organization is a processor under GDPR:

  1. Are you processing personal data for someone else and under their instruction?
  2. Were you given the personal data by a third party or instructed on the kind of data to collect?
  3. You neither decided to collect personal data from individuals nor decide what data should be collected.
  4. You don’t decide the lawful basis for which that data is collected or used.
  5. You don’t decide what the data will be used for.
  6. You do not decide how long the data will be retained and stored.
  7. Are you implementing decisions on data processing as part of a contract with another company?
  8. You’re not interested in the overall purpose or result of the processing.

Duties Of A GDPR Data Processor

Data processors don’t have the same level of legal obligations as controllers under GDPR. Processors don’t have to pay a data protection fee.

But they do have their own set of obligations under GDPR and can be subject to action taken by supervisory authorities like the ICO for any breaches.

According to Article 28 of the GDPR, if any data processing activities are carried out upon the instruction of a controller, the data processor must implement appropriate organizational and technical measures to meet the guidelines set out by the GDPR.

Processors have a responsibility to ensure that the data subject’s rights are protected, so they should have their own security measures.

If any data breaches are found by the GDPR, as per Article 83, a data protection officer will impose a fine according to the degree of responsibility of the processor and the controller, taking into account all of the technical and organizational measures implemented by the controllers and processors.

An Example Of A Data Processor

A gym is running a special promotional event and hires a printing company to produce some invitations. The gym provides the printing company with the names and addresses of their current members from their database. The printing company uses this information to send out invitations.

The gym is considered the controller of the personal information that is used to send the invitations. The gym has determined the purpose of processing the personal data (to send addressed invitations to the promotional event) and the means of the data processing (a mail merge of the personal data using the contact details of the data subjects).

The printing company is only processing the personal data as per the gym’s instructions and is, therefore, the data processor, not the data controller.

What Is A Sub-Processor According To The GDPR?

When a data processor chooses to sub-contract some or all of the data processing to a third party, this person or organization is commonly referred to as a “sub-processor.”

The GDPR states that a processor must have prior written authorization when its processor from the data controller intends to pass on personal data processing to a third party (sub-processor).

Once they have obtained formal authorization from the data controllers, the data processor will remain fully liable to the data controller for the performance of the sub-processor.

What Must Be Included In A Contrat Between a Processor And A Sub-Processor?

When a contract between a processor and a sub-processor is drawn up, it must contain the same data protection obligations originally set out in the contract between the data processor and the data controller.

This is commonly referred to as a “back-to-back contract.”

According to Article 28(3) of the GDPR, the contract between the processor and its sub-processor must contain the following information:

  • The subject-matter of the personal data and the duration for which it will be processed.
  • The exact purpose and nature of the data processing.
  • The data processor’s obligation to keep the data secure and alert the data controller if there are any data breaches.

For ICO guidelines on the contracts between processors and contractors, click here.