Data Processor or Data Controller?

Overview

The "data controller" is the person (or business) who determines the purposes for which personal data is processed, and in what way.

By contrast, a "data processor" is anyone who processes personal data on behalf of the data controller (excluding the data controller's own employees).

 

Examples:

If you mostly deal with direct enquiries/business you will likely be a data controller. As the data controller customers will be contracting your services and so agreeing to your data policy.

However, if your business is providing services that require you to handle other individuals information on behalf of another company then you are probably a data processor.

Take a look at the example below.

Data_Processor_v_Cotroller.png

  • Here the individual (data subject) is contracting a business's (data controller) services.
  • However, in order to operate the business uses various services providers.
  • Some of these service providers need access to the personal data the business holds, in order to deliver their services.
  • In this instance, they are acting as data processors, on behalf of the business.

Any data processors and their processing activities must be declared to the individual by the data controller (the business). This would usually be in a privacy policy and the terms of service.

What the regulator says:

'Data Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Data Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

References

Data Controller

Data Processor