GDPR data controllers and data processors
The obligations of GDPR data controllers and data processors and explains how they must work in order to reach compliance.
Understanding the difference between data controllers and data processors is vital for companies to fully comply with GDPR.
Since GDPR was launched in May 2018, controllers have specific obligations. In addition, processors have legal obligations of their own. This is a major difference between the original DPD legislation in 1995.
Under GDPR the ICO and other supervisory powers have can prosecute processors and controllers for any breaches. There are specific requirements for joint controllers under GDPR.
Controllers are key decision makers. They have the overall say and control over the reason and purposes behind data collection and over the means and method of data processing.
If two or more controllers have the control over purposes and processes, then they are joint controllers. However, this doesn’t apply if they are using the same data for different purposes.
Processors act on behalf of the controller. They only operate via instructions from the controller. Individual users can make claims for compensation and damages against both processors and controllers.
As a company, you should assess and document every other organisation you worth with that uses personal data and any processing activities you do. The key question that determines whether you’re a processor or controller is who is determining the purpose for which the data is being processed?
Organisations that determine both the purposes behind the data processing and the methods and means of data processing are controllers. This is regardless of how they may otherwise be described during any of the processing activities.
Answer these questions to determine whether your organisation is a controller under GDPR
Answer these questions to determine whether your organisation is a joint controller under GDPR:
Answer these questions to determine if your organisation is a processor under GDPR:
Controllers are responsible for the strictest levels of GDPR compliance. They must actively demonstrate full compliance with all data protection principles under GDPR . They are also responsible for the GDPR compliance of the processors they use to process the data.
Controllers in the UK have to pay the data protection fee, provided they aren’t exempt.
Processors don’t have the same level of legal obligations as controllers under GDPR. They don’t have to pay a data protection fee. But they do have their own set of obligations under GDPR and can be subject to action taken by supervisory authorities like the ICO for any breaches.
Joint controllers have to arrange who takes the main responsibility between themselves. This includes individual’s rights and transparency obligations.
For ICO guidelines on the contracts between processors and contractors click here.