Here we are looking to understand whether you are a data controller or a data processor.
(in the context of GDPR, data is just another word for personal information).
The "data controller" is the person (or business) who determines the purposes for which personal data is processed, and in what way.
By contrast, a "data processor" is anyone who processes personal data on behalf of the data controller (excluding the data controller's own employees).
If you mostly deal with direct enquiries/business you will likely primarily be a data controller. As the data controller customers will be contracting your services and so agreeing to the terms of your privacy information.
However, if your business is providing services that require you to handle personal information on behalf of another company then you are probably a data processor.
Take a look at the example below.
- Here the individual (data subject) is contracting a business's (data controller) services.
- However, in order to operate the business uses various services providers.
- Some of these service providers need access to the personal data the business holds, in order to deliver their services.
- In this instance, they are acting as data processors, on behalf of the business.
What the regulator says:
Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;"
"Data Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;"