Understanding the concept of data controller and data processor is extremely important to determine what are the efforts the organisation will prioritise in order to be compliant with the General Data Protection Regulation (GDPR), as the regulation sets different responsibilities and obligations. For instance, it is a data controller’s obligation to comply with data subject rights, data breach notifications and to carry out data protection impact assessments.

This article presents the main differences between these two data protection roles under the GDPR.

According to Art.4.7 of the GDPR, the data controller is defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

The data controller is the organisation that decides “why” and “for what” the personal data is processed (purposes) and “how” the personal data is processed, determining the means that should be employed to achieve the purpose established. It is important to highlight that the data controller must decide both the purposes and means of the processing.

The EDPB’s guidelines on the concepts of controller and processor in the GDPR divided the means of the processing in essential and non-essential means. The essential means are the ones that are closely linked to the purpose and the scope of the processing, such as the type of personal data being processed, the duration of the processing, the categories of data subjects, among others. The non-essential means concerns side aspects of the processing, such as the choice of hardware and/or software, and security measures (technical and organisational).

The data controller can decide the means and the purposes of the processing alone or jointly with other data controller. This means that when two or more organisations decides the means and purposes jointly, they will act as joint controllers. It is essential to note that this relationship needs to be regulated by a joint-controllership agreement, where the parties agree about the organisation responsible to handle data subject right requests and to comply with the information requirements under the GDPR. The agreement can also establish other data controller obligations such as data breach notification obligations, data protection impact assessments, the use of processors, international data transfers, general data protection principles, security measures, among others.

The data processor is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (art.4.8 of the GDPR). Organisations are classified as data processors when two conditions are met, according to the EDPB’s guidelines mentioned above.

First, the organisation that is acting as a data processor needs to be a separate entity to the data controller. This means that the data processor is an external organisation that is being contracted by the controller to process personal data on its behalf. Therefore, employees of a data controller are not to be considered as data processors, as they are part of the organisation that determines the means and the purposes of the processing, and they are acting under the direct authority of the organisation.

Secondly, the data processor needs to

process the personal data on the controller’s behalf

The data processor cannot process personal data for its own purposes. Wherever the data processor determines the means and purposes of the processing that is being carried out, the data processor will become a data controller in respect of that specific processing, as it would not be acting on data controller’s behalf. This means that the organisation will have to comply with all data controllers’ obligations under the GDPR, such as data subject rights, data breach notifications, data protection impact assessments, among others.

It is important to note that there are some decisions about the means of the processing of personal data that data processors can take, as the data controller can leave a certain level of discretion to data processors to decide how to best suit the controller’s interest, such as the possibility to determine the technical and organisational means. These are considered by the EDPB as non-essential means of the processing, as already mentioned.

When the data processor engages another organisation to process the personal data on the controller’s behalf, this organisation will be considered as a sub-processor. Prior to the engagement with sub-processors, the data processor must seek authorization of the data controller as it is the main responsible for the processing (art.28.2 of the GDPR).

The first step to identify the organisation role under the GDPR is to identify all the processing activities that are being carried out by the organisation and verify who is determining its means and the purposes.

If the organisation is determining the means and purposes of the processing, the organisation will act as a data controller and will have to comply with all controller’s obligations and responsibilities laid down in the GDPR. If the organisation is processing the personal data following instructions of another entity, then the organisation will act as a data processor.

Usually, this assessment is carried out during the data map, where the Records of Processing Activities (RoPA), which is a requirement for both data controllers and data processors under art. 30 of the GDPR, is elaborated.

IMPORTANT: Organisations are not branded as the ‘data controller’ or ‘data processor’ as a whole. An organisation can. be, and usually is, both data controller and data processor, depending on its processing activities.

The factor that will determine the organisation’s role is the processing activity itself and not its business goals. For instance, an organisation can be considered as data controller for human resources and marketing activities and data processor for the provision of a service for a data controller.