You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
The Atlassian Community can help you and your team get more value out of Atlassian products and practices.
What is a data controller, and what is a data processor?
Am I a controller?
The data controller determines the purpose and means of personal processing data.
A data controller is a person or organisation that controls the purpose and means by which personal data is processed. So if you collect and store personal data, you are a data controller. If your business collects and stores personal data, then your business is a data controller.
Am I a processor?
The data processor deals with personal data on behalf of the controller. A Data processor is usually a third-party external to the company. The processor's duties towards the controller must be specified in a contract or legal act. This means that the data controller practices overall control over the why and how of a data processing activity.
What are the tasks of a data controller?
Two separate organizations can be data processors of the same data. However, it is not as simple as it seems.
As a data controller, you are subject to several requirements under EU law.
Notifying the authorities before any data processing
Complying with European data protection principles, e.g., processing data fairly and lawfully and using data for specific, legitimate purposes
Providing specific information to individuals about whom you hold personal data, e.g., your identity, details of your data, and your plans about it
Implementing technical and organizational measures to protect personal data against accidental loss/destruction, unauthorized access, or other unlawful processing
Entering into agreements with your processors that require them to either act only on your instructions or comply with the same security obligations imposed on you under the applicable national legislation
Do you need more clarification? Check out the following examples:
Controller and processor
A store has many employees. The store hires a payroll company to pay the wages. The store specifies a cutoff date for salaries, employee leaves, or pay raise. The store management provides details for the salary slip and payment, while the payroll company must give the IT system and store the employees' data. The store is the data controller, and the payroll company is the data processor.
Your company or organisation offers massage therapy services via an online platform. At the same time, your company or organisation has a contract with another company allowing you to provide value-added services. Those services include the possibility for clients to book the therapy of their choice in the comfort of their home and rent add-on services like massage chairs or machines... Both companies are involved in the technical setup of their shared platform, for example, a website. In this case, the two companies have decided to use the platform for both purposes (massage therapy and massage machine rental) and will share clients' databases. The two companies are joint controllers because they not only agree to offer the possibility of 'combined services' but also design and use a common platform.
Andreas Springer _Actonic_
Head of Marketing
2 accepted answers