GDPR data controllers and data processors

The obligations of GDPR data controllers and data processors and explains how they must work in order to reach compliance.

Data Controllers and Processors

Understanding the difference between data controllers and data processors is vital for companies to fully comply with GDPR.

GDPR data controllers and data processors

Since GDPR was launched in May 2018, controllers have specific obligations. In addition, processors have legal obligations of their own. This is a major difference between the original DPD legislation in 1995.

Under GDPR the ICO and other supervisory powers have can prosecute processors and controllers for any breaches. There are specific requirements for joint controllers under GDPR.

What are data controllers and data processors?

A data controller is a key decision makers. They have the overall say and control over the reason and purposes behind data collection and over the means and method of data processing.

If two or more controllers have the control over purposes and processes, then they are joint controllers. However, this doesn’t apply if they are using the same data for different purposes.

A data processor will act on behalf of the controller. They only operate via instructions from the controller. Individual users can make claims for compensation and damages against both processors and controllers.

Is your company a processor or controller?

As a company, you should assess and document every other organisation you worth with that uses personal data and any processing activities you do. The key question that determines whether you’re a processor or controller is who is determining the purpose for which the data is being processed?

Organisations that determine both the purposes behind the data processing and the methods and means of data processing are controllers. This is regardless of how they may otherwise be described during any of the processing activities.

Is your company a data controller?

Answer these questions to determine whether your organisation is a data controller under GDPR

  1. Did you make the decision to collect and process personal user data?
  2. Did you determine the purpose of the data processing?
  3. Did you decide what kind of personal data should be collected?
  4. Will you commercially benefit from processing the data (aside from payment for controller services)?
  5. Are the data subjects your own employees?
  6. Did you decide about the users concerned as part of or because of the processing?
  7. Are you properly exercising professional judgement when processing the personal data?
  8. Do you have a direct connection with the data subjects?
  9. Are you solely in charge of how the data is processed?
  10. Have you outsourced processors to process the data for us?

Is your company a joint data controller?

Answer these questions to determine whether your organisation is a joint controller under GDPR:

  1. Do you have a shared objective with other companies for the data processing?
  2. Are you processing the data for the same reason as another controller?
  3. Are you using the same set of personal data for the processing as another controller? For example, this could mean using the same database.
  4. Are you designing the processing with another controller?

Is your company a processor?

Answer these questions to determine if your organisation is a processor under GDPR:

  1. Are you processing personal data for someone else and under their instruction?
  2. Were you given the personal data by a third party or instructed on the kind of data to collect?
  3. You neither decided to collect personal data from individuals, nor decide what data should be collected.
  4. You don’t decide the lawful basis for which that data is collected or used.
  5. You don’t decide what the data will be used for.
  6. You do not decide how long the data will be retained and stored.
  7. Are you implementing decisions on data processing as part of a contract with another company?
  8. You’re not interested in the overall purpose or end result of the processing.

Duties of a GDPR Data Controller

Controllers are responsible for the strictest levels of GDPR compliance. They must actively demonstrate full compliance with all data protection principles under GDPR . They are also responsible for the GDPR compliance of the processors they use to process the data.

Controllers in the UK have to pay the data protection fee, provided they aren’t exempt.

Duties of a GDPR Data Processor

Processors don’t have the same level of legal obligations as controllers under GDPR. They don’t have to pay a data protection fee. But they do have their own set of obligations under GDPR and can be subject to action taken by supervisory authorities like the ICO for any breaches.

Duties of joint GDPR Data Controllers

Joint controllers have to arrange who takes the main responsibility between themselves. This includes individual’s rights and transparency obligations.

For ICO guidelines on the contracts between processors and contractors click here.