Controller vs Processor
Controller vs Processor
According to Article 4 of the EU GDPR, different roles are identified as indicated below:
- Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
- Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
So, the organisations that determine the means of processing personal data are controllers, regardless of whether they directly collect the data from data subjects. For example, a bank (controller) collects the data of its clients when they open an account, but it is another organisation (processor) that stores, digitises, and catalogues all the information produced on paper by the bank. These companies can be data centres or document management companies. Both organisations (controller and processor) are responsible for handling the personal data of these customers.
What are the controllers’ responsibilities?
According to Article 5 from the EU GDPR, the controller shall be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data. These are: lawfulness, fairness and transparency, data minimisation, accuracy, storage limitation and integrity, and confidentiality of personal data.
According to Article 24 from the EU GDPR, “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”
Examples of such measures may be to allocate responsibilities for data protection, a data protection impact assessment and a risk mitigation plan, implementation of pseudonymization (the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information), and data minimisation in order to meet the requirements of this Regulation and protect the rights of data subjects.
If there are several organisations that share the responsibility for the processing of personal data, the EU GDPR includes the existence of joint controllers. They must determine their respective responsibilities by agreement and provide the content of this agreement to the data subjects, defining the means of communication with processors with a single point of contact.
What are the processors’ responsibilities?
According to Article 28 from the EU GDPR, “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
This means that if any EU or non-EU company wants to stay in business, as controller or processor, it will have to implement the necessary controls to ensure that they comply with the EU GDPR, because the fines can be applied to both controllers and processors. According to Article 83, fines shall be imposed regarding “the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them.”