GDPR Data Processor vs Data Controller (Main Differences)

Introduction

Is your cloud-hosted company a data processor or controller? It’s important to understand the main differences because it defines your responsibilities under the GDPR. 

Trying to obtain GDPR compliance can be confusing and frustrating if there is confusion about the different roles. When comparing GDPR data processor vs controller, there are some distinct differences that will define your legal obligations.

In this article, we will explain the main differences between GDPR data controller vs processor with examples and elaborate on the various responsibilities of both entities under the GDPR. 

What is GDPR Data Controller?

A data controller (as defined by the Article 4) is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data. In simpler terms, a data controller is the entity that decides:

1. Why personal data is being collected and processed
2. How the personal data will be processed

Key aspects of a data controller’s role include:

• Decision-making authority over data processing activities
• Responsibility for ensuring GDPR compliance
• Accountability for the security and proper handling of personal data
• Obligation to protect data subjects’ rights

Article 5 of the GDPR states that data controllers are responsible for information transparency, fairness, and lawfulness. They are also required to protect personal data’s confidentiality, accuracy, and storage limitation. Thus, data controllers should only select data processors that comply with the GDPR to avoid penalties and GDPR fines.

Example of a GDPR data controller 

For instance, hospitals use computer systems to display a patient’s name and consulting room number in the waiting area. Since the system controls the data, the hospital is the data controller for the personal data of the patients. The data controller has the bulk of the responsibility for protecting customers’ privacy and rights, governing access, and obtaining cookie consent.

What is GDPR Data Processor?

A GDPR data processor is defined as a natural or legal person, public authority, agency, or other body that processes personal data solely on behalf of the data controller. Typically, a data processor is a third-party entity external to the controller’s organization, contracted to perform specific data processing tasks.

Key characteristics of a data processor include:

1. Acts on instructions from the controller
2. Does not determine the purposes or means of processing
3. Processes data for the controller’s defined purposes

Example of a GDPR data processor 

In the previous example of the cloud-hosted company and the payroll service provider, employee data is stored by the payroll company which also provides the IT system. Hence, the payroll company is the data processor for the cloud-hosted company.

Consider another example of a gym hiring a printing house to print invitations for the inauguration of a new branch. The gym provides the printer with the contact details of its existing members and the design of the invitations. Thus, the gym is the data controller whereas the printer is the data processor. 

Two fundamental requirements define a data processor:

• It must process personal data on behalf of the controller
• It must be a separate legal entity from the data controller

Typically, data processors provide IT solutions, including cloud storage. Data processors may also sub-contract a part of their activities to other data processors or nominate a joint data processor provided it has prior written authorization from the data controller.

Key differences between a GDPR data processor vs. data controller?

The following table explains the major differences between data controllers and data processors:

Data controller	Data processor
Determines the purpose and means of controlling data	Performs personal data processing on behalf of the controller
Gives instruction to the data processor for data processing	Is bound by law to follow the instructions of the data controller
Responsible for ensuring that processing is GDPR-compliant	Responsible for providing the controller with information necessary to demonstrate compliance
Responsible for carrying out data protection impact assessments as per Article 35	Responsible for helping the data controller with DIPAs as per article 28
Must inform supervisory authority and data subject(s) within 72 hours of discovering data breach	Must inform the data controller(s) of any security breaches
May engage any data processor that is GDPR compliant and agrees to the terms of the contract.	May subcontract processors after written approval of data controller

What are the Different Roles of GDPR Data Controller vs Processor?

A data controller determines the purposes and means of processing personal data, while a data processor acts on behalf of the controller by handling the data according to their instructions. This difference shapes each entity’s responsibilities under GDPR. Controllers are primarily responsible for ensuring GDPR compliance and safeguarding data, while processors must follow the controller’s guidelines and implement appropriate security measures.

Data controllers and data processors have different GDPR compliance responsibilities. For some entities, the distinction between controllers and processors may not be clear. If each entity knows which role they play — controller or processor — they can limit their risk exposure by complying with GDPR compliance checklist. 

The GDPR defines the various roles of data controllers and data processors. Let’s break down GDPR data processor vs data controller responsibilities. 

Collecting Data

Personal data from data subjects is collected only by data controllers. Thus, they need to determine their legal authority to obtain the data.

It is the data controller’s responsibility to create a GDPR privacy policy with the following information:

• What information do they collect?
• How do they keep information?
• What do they do with the information?
• Who do they share the data with?
• Is the data shared with third parties?
• When and how is the data deleted?

If a data processor also collects personal data, then it must take on all these responsibilities.

Contracts

Data controllers choose GDPR-compliant data processors to process data on their behalf. For such collaboration, a well-defined contract is required – and Article 28 of GDPR specifies exactly what that contract has to cover, from subprocessor authorization to processing instructions, security measures, audit rights, and the controller’s right to demand deletion or return of personal data at the end of the engagement.

The data controller creates the contract and the data processor is bound by law to follow the data controller’s instructions. 

Items to be included in the contract:

• Nature, purpose, subject, and timeline of the processing plan
• Rights and obligations of the controller
• Categories of data
• Classification of data subjects
• Agreement to follow instructions
• Confidentiality concerns
• Security commitment
• Hiring of subcontractors
• Proof of compliance
• Data retrieval and erasure

Codes of Conduct or Certifications

Controllers and processors must agree to a code of conduct or a recognized GDPR certification process that outlines how the data processing agreement complies with the GDPR.

Liability

Data controllers are liable for the collection, usage, and disposal of personal data. Under GDPR, individuals whose personal data you hold may send their queries or complaints to either the controller or the processor. 

If processors work outside of the instructions given by the controller or they violate the GDPR, they are held liable. 

Security

Controllers and processors must both follow GDPR-compliant security practices. They must protect data from unauthorized access, accidental loss or disclosure, or destruction. 

Transparency

Throughout the data life cycle, transparency must be maintained from collection to deletion. Usually, it applies to data controllers who collect data. 

The GDPR does not explicitly mention data processors in terms of transparency. 

Recordkeeping

Data controllers are required to keep records if they process sensitive information or have more than 250 employees. The exact structure of those records is governed by GDPR Article 30, which lays out the records of processing activities (ROPA) that must be maintained, including controller details, processing purposes, data categories, transfers, and retention schedules. These records should contain the following information:

• Controller information
• Types of data described in detail
• Transfer of data, including transfer to third parties
• Specifics of erasure
• A summary of data security measures

Data processors must also keep records that pertain to the processes that controllers carry out and they include:

• Name and contact information of the processor(s) and data protection officer (DPO)
• Processing classifications
• Transfers of data to third countries or international organizations
• A general description of security measures

Reporting Data Breaches

If a personal data breach appears to jeopardize the rights and freedoms of data subjects, data controllers must notify the supervisory authority and the data subject. The 72-hour notification window catches US-based controllers off guard most often, because their domestic state-law timelines are far longer; our guide on GDPR compliance for US companies walks through the breach-response workflow needed to hit the EU window from a US-headquartered organization.

The supervisory authority must be notified within 72 hours of discovering the data breach. 

Data processors must notify the affected data controllers if they discover a security breach.

Need to meet GDPR standards? Our “GDPR Data Processing Agreement” is here to help. Download this essential document to ensure your data processing aligns with regulations.

Appointing a Data Protection Officer

Controllers and processors must both appoint a data protection officer (DPO).

Data Protection Impact Assessments

When instructing a data processor to perform a high-risk activity, data controllers must conduct a data protection impact assessment.

Data protection impact assessments involve the collaboration of the supervisory authority and the data protection officer. 

Conclusion

The GDPR draws a distinction between data controllers vs data processors to recognize that not all companies involved in processing personal data have the same degree of responsibility. While the roles and responsibilities may be different, both parties complement each other in maintaining data protection, accountability, and transparency. 

Data controllers typically perform a majority of the regulatory work, whereas data processors play a more prescriptive role. By working in collaboration with each other, both parties ensure compliance and avoid hefty GDPR fines. 

Obtaining GDPR compliance is a step-by-step process and depends on a variety of factors like the type of data, and the number and type of processes. It takes a long-term commitment to compliance and integration into the existing structures of the company. 

Sprinto offers a swift, tech-enabled, and hassle-free experience of obtaining GDPR compliance within weeks instead of months. Book a demo today to understand how you can fast-track your way to becoming compliant. 

FAQ