Data Controller vs Data Processor

What is a data controller, and what is a data processor?

Am I a controller?

The data controller determines the purpose and means of personal processing data.

A data controller is a person or organisation that controls the purpose and means by which personal data is processed. So if you collect and store personal data, you are a data controller. If your business collects and stores personal data, then your business is a data controller.

Am I a processor?

The data processor deals with personal data on behalf of the controller. A Data processor is usually a third-party external to the company. The processor's duties towards the controller must be specified in a contract or legal act. This means that the data controller practices overall control over the why and how of a data processing activity. 

What are the tasks of a data controller?

Two separate organizations can be data processors of the same data. However, it is not as simple as it seems. 

As a data controller, you are subject to several requirements under EU law.

•  Notifying the authorities before any data processing

• Complying with European data protection principles, e.g., processing data fairly and lawfully and using data for specific, legitimate purposes

•  Providing specific information to individuals about whom you hold personal data, e.g., your identity, details of your data, and your plans about it

• Implementing technical and organizational measures to protect personal data against accidental loss/destruction, unauthorized access, or other unlawful processing

• Entering into agreements with your processors that require them to either act only on your instructions or comply with the same security obligations imposed on you under the applicable national legislation

 Do you need more clarification? Check out the following examples:

Controller and processor

A store has many employees. The store hires a payroll company to pay the wages. The store specifies a cutoff date for salaries, employee leaves, or pay raise. The store management provides details for the salary slip and payment, while the payroll company must give the IT system and store the employees' data. The store is the data controller, and the payroll company is the data processor.

Joint controllers

Your company or organisation offers massage therapy services via an online platform. At the same time, your company or organisation has a contract with another company allowing you to provide value-added services. Those services include the possibility for clients to book the therapy of their choice in the comfort of their home and rent add-on services like massage chairs or machines... Both companies are involved in the technical setup of their shared platform, for example, a website. In this case, the two companies have decided to use the platform for both purposes (massage therapy and massage machine rental) and will share clients' databases. The two companies are joint controllers because they not only agree to offer the possibility of 'combined services' but also design and use a common platform.