GDPR data controllers and data processors
The obligations of GDPR data controllers and data processors and explains how they must work in order to reach compliance.
The introduction of GDPR has sparked questions about whether certain organizations are generally data controllers or data processors. Understanding the difference between data controllers and processors is vital for GDPR compliance.
Since GDPR was launched in May 2018, controllers have specific obligations. In addition, processors have legal obligations of their own. This is a major difference from the original DPD legislation in 1995.
Under GDPR, the ICO and other supervisory powers can prosecute processors and controllers for any breaches. There are also specific requirements for joint controllers under GDPR.
There is a clear difference between a ‘data controller’ and a ‘data processor’ according to the GDPR.
The regulation recognizes that not all organizations involved in the processing of personal data have an equal level of responsibility. The definitions of controllers and processors according to the GDPR are as follows:
Data Controller – Is a legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.
Data Processor – Is a legal or a natural person, agency, public authority, or any other body who processes personal data on behalf of a data controller.
If you are classed as a data controller or a data processor, you are responsible for ensuring that you comply with the GDPR and demonstrate compliance with the regulation’s data protection principles.
Data processors do not have the same level of GDPR compliance responsibilities.
However, they should still take appropriate organizational and technical measures to ensure that any processed data is done so in line with the GDPR.
Data controllers are key decision-makers. They have the overall say and control over the reason and purposes behind data collection and the means and method of any data processing.
Some data controllers may be governed by a statutory obligation to collect and process personal data. According to Section 6(2) of the 2018 Data Protection Act, if an organization is under such an obligation and processes personal data for compliance, it will be classed as a data controller.
A data controller could be:
An organization may not have a separate legal personality of their own, for example, unincorporated organizations like voluntary groups and sports clubs. In this case, the responsible party should refer to the document that governs the management of that organization.
This document should include details about how such organizations should be managed on behalf of its members. They will likely be expected to act as the data controller or as joint data controllers.
Controllers are responsible for the strictest levels of GDPR compliance. According to Article 24 of the GDPR, they must actively demonstrate full compliance with all data protection principles.
They are also responsible for the GDPR compliance of any processors they might use to process the data.
They must demonstrate fairness, lawfulness and transparency, accuracy, data minimization, integrity and storage, and full confidentiality of personal data.
According to Article 24 of the GDPR, data controllers must:
Data controllers must pay a data protection fee which a data protection officer enforces, provided they aren’t exempt.
Answer these questions to determine whether your organization is a data controller under GDPR.
Article 26(1) of the GDPR states that data controllers can determine the purposes and means of data processing individually or jointly with another party as joint data controllers.
According to the GDPR, joint controllers have a shared purpose and agree upon the purpose and means of processing data together. However, this will not apply if the same data is being used for different reasons.
Answer these questions to determine whether your organization is a joint controller under GDPR:
Joint controllers have to arrange who takes the main responsibility between themselves. They are equally responsible for any security breaches, and any fines would be divided accordingly.
A doctor’s office uses an automated computer system in their waiting area to tell patients when to make their way to a consulting room.
The automated system works using a digital screen that shows the patient’s name and consulting room number. It may also use a speaker for any visually impaired patients to announce this information.
The doctor’s office will be the data controller for the personal data processed in connection with this notification system because it is in control of the purposes and means of the data processing.
A firm hires an accountant to do their books. When acting for their client, the accountant is classed as a data controller in relation to any personal data included in the accounts.
This is because accountants and other professional service providers must work according to certain professional standards and are required to take responsibility for any personal data that they are hired to process.
For example, if the accountant discovers some malpractice whilst completing the firm’s accounts, they may be expected to report this malpractice to the police or other authorities.
If they are forced to take this action, they would no longer be acting according to their client’s instructions but according to their own professional obligations and therefore as a data controller in their own right.
Specialist service providers who process data in accordance with their own professional obligations will always be acting as the data controller. For this reason, they are not permitted to hand over or share data controller obligations with their client.
A data processor can be a company or any other legal entity or an individual. Even though data processors make their own operational decisions, they will act on behalf of and under the authority of the relevant data controller.
According to Article 29 of the GDPR, a data processor must only process personal data according to the data controller’s instructions unless required to do so by law.
Individual users can file compensation claims and damages against both data controllers and data processors. If a data processor goes against the data controller’s instructions, they will be liable for any data breaches. Therefore, data processors must always ensure that they are complying with the GDPR guidelines.
Employees of the data controller are not classed as data processors. As long as an individual is acting within the scope of their employment duties, they act as an agent of the data controller.
In other words, the GDPR will class them as part of the controller and not as not a separate party who is contracted to process data on behalf of the data controller.
Answer these questions to determine if your organization is a processor under GDPR:
Data processors don’t have the same level of legal obligations as controllers under GDPR. Processors don’t have to pay a data protection fee.
But they do have their own set of obligations under GDPR and can be subject to action taken by supervisory authorities like the ICO for any breaches.
According to Article 28 of the GDPR, if any data processing activities are carried out upon the instruction of a controller, the data processor must implement appropriate organizational and technical measures to meet the guidelines set out by the GDPR.
Processors have a responsibility to ensure that the data subject’s rights are protected, so they should have their own security measures.
If any data breaches are found by the GDPR, as per Article 83, a data protection officer will impose a fine according to the degree of responsibility of the processor and the controller, taking into account all of the technical and organizational measures implemented by the controllers and processors.
A gym is running a special promotional event and hires a printing company to produce some invitations. The gym provides the printing company with the names and addresses of their current members from their database. The printing company uses this information to send out invitations.
The gym is considered the controller of the personal information that is used to send the invitations. The gym has determined the purpose of processing the personal data (to send addressed invitations to the promotional event) and the means of the data processing (a mail merge of the personal data using the contact details of the data subjects).
The printing company is only processing the personal data as per the gym’s instructions and is, therefore, the data processor, not the data controller.
When a data processor chooses to sub-contract some or all of the data processing to a third party, this person or organization is commonly referred to as a “sub-processor.”
The GDPR states that a processor must have prior written authorization when its processor from the data controller intends to pass on personal data processing to a third party (sub-processor).
Once they have obtained formal authorization from the data controllers, the data processor will remain fully liable to the data controller for the performance of the sub-processor.
When a contract between a processor and a sub-processor is drawn up, it must contain the same data protection obligations originally set out in the contract between the data processor and the data controller.
This is commonly referred to as a “back-to-back contract.”
According to Article 28(3) of the GDPR, the contract between the processor and its sub-processor must contain the following information:
For ICO guidelines on the contracts between processors and contractors, click here.