The "data controller" is the person (or business) who determines the purposes for which personal data is processed, and in what way.
By contrast, a "data processor" is anyone who processes personal data on behalf of the data controller (excluding the data controller's own employees).
If you mostly deal with direct enquiries/business you will likely be a data controller. As the data controller customers will be contracting your services and so agreeing to your data policy.
However, if your business is providing services that require you to handle other individuals information on behalf of another company then you are probably a data processor.
Take a look at the example below.
- Here the individual (data subject) is contracting a business's (data controller) services.
- However, in order to operate the business uses various services providers.
- Some of these service providers need access to the personal data the business holds, in order to deliver their services.
- In this instance, they are acting as data processors, on behalf of the business.
What the regulator says:
'Data Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘Data Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- GDPR: Definitions - Article 4 (7)
- GDPR: Information to be provided where personal data are collected from the data subject - Article 13