GDPR defines a clear difference between a data controller and a data processor, and not all organizations involved in data processing have the same responsibilities. Compliance requirements differ depending on which type of organization you are (or both).
Understanding the difference between data controllers and processors is vital for GDPR compliance. Claiming ignorance isn’t an option — you’re responsible for ensuring you comply with GDPR and can prove that compliance to supervisory authorities.
We’ll cover the key differences between data controllers and processors as well as their responsibilities below. However, it’s important to speak to your legal team or outside council to know where your organization falls.
GDPR Data Controllers vs Data Processors
Under GDPR, a data controller is an organization or individual that decides how and why personal data will be processed.
A data processor is any third party that processes personal data on behalf of a data controller. A data processor must only process personal data as instructed by the data controller, unless required to do so by law.
Data controllers have greater responsibilities for GDPR compliance, but data processors are still required to ensure that any data that’s processed is done so in accordance with GDPR.
Note that it is possible to be both a data controller and a data processor. To know for sure, it’s important to speak to your legal team or outside counsel.
Example
Let’s clarify the difference between data controllers and data processors with an example based on one from the UK Information Commissioner's Office.
An IT services firm stores archived data on behalf of a bank. While the firm uses its own technical expertise to help decide how best to store the data in a safe and accessible way, the bank controls why and how the data is used and determines how long it is retained. The bank is therefore the presumptive data controller because it retains exclusive control over why the data is processed. The IT services firm is the presumptive data processor because while it has some control over how the data is processed, it does not control why it’s processed.
GDPR Data Controller Requirements
Data controllers are expected to meet the strictest levels of GDPR compliance.
Not only are they required to actively demonstrate full compliance with all data protection principles — they are also responsible for the GDPR compliance of any data processors they use.
Article 24 outlines the following requirements of data controllers. They must:
- Take into account the purpose, nature, context, and scope of data processing.
- Consider the likelihood and severity of the risk to the rights and freedoms of individuals.
- Implement appropriate and effective measures that demonstrate the compliance of data processing activities with GDPR regulation.
- Review and update these measures where necessary.
GDPR Data Processor Requirements
Data processors don’t have the same level of legal obligations as controllers under GDPR.
They do have to comply with the obligations of the controller as outlined in a binding written agreement. This includes only acting on the controller's documented instructions for what data they can process, why, and for how long.
When processing data according to those instructions, the data processor must implement appropriate organizational and technical measures to meet the guidelines set out by the GDPR.
Once the data processing has been completed, the data processor must also return the personal data to the controller or delete it, unless required to store it by law.
FAQs
What is the difference between data controller and data processor under GDPR?
Under GDPR, a data controller decides how and why personal data will be processed, whereas a data processor processes personal data on behalf of a data controller.
What is the GDPR agreement between controller and processor?
The GDPR agreement between a data controller and processor is a data processing agreement. Under GDPR, data controllers are required to have data processing agreements with all data processors. These agreements must meet the following requirements laid out in Article 28 by stating:
- the subject-matter and duration of the processing
- the nature and purpose of the processing
- the type of personal data and categories of data subjects
- the obligations and rights of the controller
Can you be both controller and processor under GDPR?
You can be both a data controller and processor under GDPR — but only for different processing activities. For example, you can be a data controller when processing your employee's data and a data processor when processing personal data on behalf of and as instructed by a data controller.
What is an example of a controller and processor?
Say a SaaS company signs a contract with a payroll company and instructs them when and how to pay their employees. Then in this example, the SaaS company is a data controller and the payroll company is a data processor.