GDPR Data Processor vs Data Controller (Main Differences)

Key Points 

• GDPR data processors and data controllers have distinct roles under the GDPR and varying degrees of responsibility. However, both parties work jointly to maintain transparency, accountability, and data protection.
• A GDPR data controller is a person or body which, alone or jointly with others, determines the purpose of and the means by which personal data is processed. A data processor is a person or body which processes data on behalf of the controller.

• Data processors are bound by law to process data according to the controller’s instructions as specified in a contract. 

Introduction

Is your cloud-hosted company a data processor or controller? It’s important to understand the main differences because it defines your responsibilities under the GDPR. 

Trying to obtain GDPR compliance can be confusing and frustrating if there is confusion about the different roles. When comparing GDPR data processor vs controller, there are some distinct differences that will define your legal obligations.

In this article, we will explain the main differences between GDPR data controller vs processor with examples and elaborate on the various responsibilities of both entities under the GDPR. 

What is GDPR Data Controller?

Article 4 of the GDPR states that a data controller is a natural or legal person, public authority, agency, or other body that defines the purpose for which and the means by which personal data is processed. The data controller either works alone or in collaboration with other data controllers. 

For instance, hospitals use computer systems to display a patient’s name and consulting room number in the waiting area. Since the system controls the data, the hospital is the data controller for the personal data of the patients. 

The data controller has the bulk of the responsibility for protecting customers’ privacy and rights, governing access, and obtaining cookie consent. 

Article 5 of the GDPR states that data controllers are responsible for information transparency, fairness, and lawfulness. They are also required to protect personal data’s confidentiality, accuracy, and storage limitation. Thus, data controllers should only select data processors that comply with the GDPR to avoid penalties and GDPR fines.

What is GDPR Data Processor?

The GDPR data processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller. Usually, it is a third-party company selected by the data controller. 

In the previous example of the cloud-hosted company and the payroll service provider, employee data is stored by the payroll company which also provides the IT system. Hence, the payroll company is the data processor for the cloud-hosted company.

Consider another example of a gym hiring a printing house to print invitations for the inauguration of a new branch. The gym provides the printer with the contact details of its existing members and the design of the invitations. Thus, the gym is the data controller whereas the printer is the data processor. 

There are two basic requirements to be a data processor: you should be a separate legal entity from the data controller and you should process personal data on behalf of the controller.

Data processors do not own the data or control it. So they cannot change its purpose or the means by which it is processed. 

Typically, data processors provide IT solutions, including cloud storage. Data processors may also sub-contract a part of their activities to other data processors or nominate a joint data processor provided it has prior written authorization from the data controller.

The following table explains the major differences between data controllers and data processors:

What are the Different Roles of GDPR Data Controller vs Processor?

Data controllers and data processors have different GDPR compliance responsibilities. For some entities, the distinction between controllers and processors may not be clear. If each entity knows which role they play — controller or processor — they can limit their risk exposure by complying with GDPR compliance checklist. 

The GDPR defines the various roles of data controllers and data processors. Let’s break down GDPR data processor vs data controller responsibilities. 

Collecting Data

Personal data from data subjects is collected only by data controllers. Thus, they need to determine their legal authority to obtain the data.

It is the data controller’s responsibility to create a GDPR privacy policy with the following information:

• What information do they collect?
• How do they keep information?
• What do they do with the information?
• Who do they share the data with?
• Is the data shared with third parties?
• When and how is the data deleted?

If a data processor also collects personal data, then it must take on all these responsibilities.

Contracts

Data controllers choose GDPR-compliant data processors to process data on their behalf. For such collaboration, a well-defined contract is required that specifies the steps to be taken by the processor when processing data.

The data controller creates the contract and the data processor is bound by law to follow the data controller’s instructions. 

Items to be included in the contract:

• Nature, purpose, subject, and timeline of the processing plan
• Rights and obligations of the controller
• Categories of data
• Classification of data subjects
• Agreement to follow instructions
• Confidentiality concerns
• Security commitment
• Hiring of subcontractors
• Proof of compliance
• Data retrieval and erasure

Codes of Conduct or Certifications

Controllers and processors must agree to a code of conduct or a recognized GDPR certification process that outlines how the data processing agreement complies with the GDPR.

Liability

Data controllers are liable for the collection, usage, and disposal of personal data. Under GDPR, individuals whose personal data you hold may send their queries or complaints to either the controller or the processor. 

If processors work outside of the instructions given by the controller or they violate the GDPR, they are held liable. 

Security

Controllers and processors must both follow GDPR-compliant security practices. They must protect data from unauthorized access, accidental loss or disclosure, or destruction. 

Transparency

Throughout the data life cycle, transparency must be maintained from collection to deletion. Usually, it applies to data controllers who collect data. 

The GDPR does not explicitly mention data processors in terms of transparency. 

Recordkeeping

Data controllers are required to keep records if they process sensitive information or have more than 250 employees. These records should contain the following information:

• Controller information
• Types of data described in detail
• Transfer of data, including transfer to third parties
• Specifics of erasure
• A summary of data security measures

Data processors must also keep records that pertain to the processes that controllers carry out and they include:

• Name and contact information of the processor(s) and data protection officer (DPO)
• Processing classifications
• Transfers of data to third countries or international organizations
• A general description of security measures

Reporting Data Breaches

If a personal data breach appears to jeopardize the rights and freedoms of data subjects, data controllers must notify the supervisory authority and the data subject.

The supervisory authority must be notified within 72 hours of discovering the data breach. 

Data processors must notify the affected data controllers if they discover a security breach.

Appointing a Data Protection Officer

Controllers and processors must both appoint a data protection officer (DPO).

Data Protection Impact Assessments

When instructing a data processor to perform a high-risk activity, data controllers must conduct a data protection impact assessment.

Data protection impact assessments involve the collaboration of the supervisory authority and the data protection officer. 

Conclusion

The GDPR draws a distinction between data controllers vs data processors to recognize that not all companies involved in processing personal data have the same degree of responsibility. While the roles and responsibilities may be different, both parties complement each other in maintaining data protection, accountability, and transparency. 

Data controllers typically perform a majority of the regulatory work, whereas data processors play a more prescriptive role. By working in collaboration with each other, both parties ensure compliance and avoid hefty GDPR fines. 

Obtaining GDPR compliance is a step-by-step process and depends on a variety of factors like the type of data, and the number and type of processes. It takes a long-term commitment to compliance and integration into the existing structures of the company. 

Sprinto offers a swift, tech-enabled, and hassle-free experience of obtaining GDPR compliance within weeks instead of months. Book a demo today to understand how you can fast-track your way to becoming compliant. 

FAQ: Data Controller vs Data Processor GDPR

• What is a GDPR data controller?

A GDPR data controller is a person or body that, alone or in collaboration with others, determines the purposes and the means of processing personal data. 

• Who is a data processor in GDPR?

A GDPR data processor is a person or body which processes personal data on behalf of the data controller.

Who is responsible for ensuring GDPR compliance from Data processors?

The data controller is responsible for ensuring that all the vendors involved in data processing are GDPR compliant. Organizations generally rely on Standard Contractual clauses to ensure that data processors are compliant.