With the advent of the General Data Protection Regulation (GDPR), already operational, and the revised Swiss Federal Act on Data Protection (FADP) that comes into effect in 2022) two different roles with varying responsibilities have emerged when it comes to data protection. The data controller, and the data processor. But what are the key differences, and more importantly, which one are you.
Identifying the key differences is crucial for any business that collects, stores, and processes any type of personal data from clients, customers and users. In this article we will examine the core differences between data controllers and data processors which will not only allow you to determine which one you are, but more importantly what your obligations are.
A data controller is a person, organisation or authority group that “determines the purposes for which and the means by which personal data is processed” (European Commission, 2021). They’re the ‘decision makers’. This essentially means that the data controller is the one who decides what personal data is going to be processed, the reason for processing it (purposes), and how they will go about doing it (means).
If your company comes together with other organisations to jointly determine the purposes and means by which personal data is processed, they you are joint controllers. You will typically design the process for collecting data with them, use the same database to store data and have common information management rules with another controller.
What does this mean in real life? Here are some examples of companies and groups acting as the data controller:
But what does it mean if you are a data controller? Data controllers have the highest level of compliance responsibility meaning you are ultimately responsible for the compliance of any and all of your data processors. Here are a list of some of the many responsibilities you will have if you are a data controller:
It is important to note that this is not an exhaustive list of responsibilities. The full list of your responsibilities will depend on your country of operation, and if you are not sure, or need further guidance we would be happy to help.
A data processor is a person or business that “processes data only on behalf of the controller” (European Commission, 2021). This is typically a third party, whereby the duties of processing are specified to the processor in the means of a legally binding contract. Importantly, if your company has employees they are not processors. For as long as they act within the scope of their employee ‘duties’, they are acting as ‘agents of a controller’ and not as a separate party.
Whilst the data processor may receive a benefit for processing data for a data controller (such as a fee) they do not have the primary interest in the end result. They are processing data because the controller has asked them to do it.
What does this mean in real life? Here are some examples of companies and groups acting as a data processor:
Unlike data controllers who have a larger number of responsibilities, the main responsibility of data processors is to follow, and abide by, the data processing agreement set out with the controller that they are working on behalf of. This essentially means that they cannot change the purpose for processing or means by which the data is used or collected. Data processors can be held liable for any damage that could be caused by not abiding by the data processing agreement, so it is important that if you are a data processor you follow the instructions of the data controller.
Whilst the distinction is often clear between a data controller and a data processor, sometimes the divide is blurry. Likewise, a company is not automatically a data controller – it is common for a company to be both a data controller and a data processor. So how do you tell the difference?
Look through this first list of responsibilities:
If you answered yes to any (or all) of them, the likelihood is you are a data controller. Now look through this second list:
If you answered yes to any (or again all) of the above, then you are most likely a data processor.
Whilst the above lists may answer your query between the two roles fairly quickly, it is often hard to distinguish the difference in real life and determine who is a data controller and who is a data processor.
Still unsure? Get in touch with our data protection team to set up a call with one of our consultants and we will walk you through the differences.