What are controllers and processors?

Under GDPR, controllers are also responsible for protecting individual privacy and securing personal data.

The GDPR information controller makes sure that collecting data complies with EU regulations. Controllers write consent forms and privacy notices. These documents enable them to obtain consent to collect and share data.

Data controllers also choose forms of data gathering with a “lawful purpose” under GDPR. Under Article 6 of the regulations, there are six lawful reasons to process data. The data controller must state these reasons in its privacy notices.

When controllers or processors go beyond the purposes stated in privacy notices or DPAs, the controller is liable for GDPR penalties. This rule applies if the data controller knows about privacy violations carried out by processors but takes no remedial action.

Penalties differ if processors breach DPAs without the knowledge of the controller. In that case, regulators may determine that the processor has become a controller. The processor will then be liable for fines and other compliance actions.

Data controller examples

Whenever you visit a website and grant consent to share data, you are dealing with a data controller. Examples include:

• eCommerce websites that collect customer information to target their products.
• Social media platforms that store user data and gather information to deliver content.
• Companies that gather data about employees.
• Online banks and other financial institutions that handle personal financial data.
• Streaming services like Netflix that collect personal data to deliver recommendations.
  
  

Critical compliance tasks at data controllers are usually managed by the Data Protection Officer (DPO). The Data Protection Officer acts as the main contact for data subjects and regulators. Their identity is included in privacy notices, providing data subjects with a clear route to exercise their GDPR rights.

Joint Controllers and their shared responsibilities

Data controllers do not always act alone. A single data controller will often collaborate to deliver services and share data. In these situations, the parties are called ‘joint controllers.’

Joint controllers involve two or more organizations that share GDPR responsibilities. These organizations jointly determine the scope and purpose of data collection. Organizations also share liability when GDPR violations occur.

Multiple controllers generally operate shared compliance strategies governed by Joint Controller Agreements (JCAs). These agreements ensure that joint arrangements safeguard user privacy. They contain the following elements:

• Identifying participants in a joint controller arrangement
• Agreeing roles and responsibilities
• Stating who obtains consent and contacts data subjects
• Stating how parties will respect user rights
• Incident response protocols when a data breach occurs
• Liability clauses in the event of violations
• Whether DPIAs are required to protect privacy
• Information sharing to enable compliance
  
  

Joint data controller arrangements allow companies to leverage different skills or audiences. For example, partnerships could involve recruitment experts and financial institutions. Social media platforms may partner with app developers. This allows them to gather user data and deliver new services.

Joint arrangements can also allow many parties to use the same data effectively. Companies may find creative uses for personal data gathered by other businesses. Co-operating with joint controllers provides legitimate access to this data.

The travel industry features many examples of joint controller setups. International hotel booking companies often work with flight bookers and vehicle hire businesses. Companies in these collaborations may need to share customer data. They act as joint data controllers when they gather data from EU residents.

Processors definition

A data processor acts on behalf of one or more data controllers. An organization is classed as a ‘processor’ under GDPR if it processes personal data on behalf of a controller.

Data processors follow the instructions of controllers. They have limited freedom about how they process data. A data processor cannot determine why they collect data. The processor does not decide what types of data to collect. The data controller carries out these functions.

Processors have limited compliance responsibilities. They must follow the terms of Data Processing Agreements, secure data using appropriate controls, and prevent data exposure or unauthorized sharing.

Penalties for GDPR violations tend to fall most heavily on controllers. However, data processors can receive penalties if they:

• Process personal data without authorization
• Do not follow processing instructions from the data controller
• Fail to use adequate security measures
• Use sub-processors without obtaining consent from the data controller
• Do not help controllers to meet their GDPR obligations. For example, processors may deny data subject access requests.
• Do not report breaches promptly
• Move data to non-EU jurisdictions without consent
  
  

There are many examples of data processors. Some processors handle back-office functions for customer-facing businesses. An example is a payroll processor handling employee payments for a retail partner.

Companies that analyze web traffic for website owners also qualify as data processors. This rule applies if they process personal data that can identify website visitors.

What is a sub-processor?

A data processor may delegate functions to other organizations. Delegation is allowable under GDPR with proper safeguards. And contracting partners are called ‘sub-processors’.

Sub-processors handle personal data on behalf of data processors. They follow the terms of the original DPA between the data controller and the processor. The data controller must grant consent before sub-processors start handling personal data.

GDPR guidelines tightly control the activities of sub-processors. Sub-processing generally represents an extension of the data processor’s role. But processors must make appropriate arrangements before starting sub-processing operations:

• Sub-processing contracts should define the roles of sub-processors.
• Data Protection Impact Assessments (DPIAs) should also assess the activities of the sub-processor. They should identify any compliance risks.
  
  

Sub-processors have fewer regulatory obligations than primary data processors or controllers. Some situations can result in fines under GDPR. For example, breaching contracts or DPIAs may lead to penalties. Third-party processors must assist in fulfilling regulatory requests. And they need to apply comprehensive security measures.

However, the controllers and primary processors have a much heavier compliance burden. They are responsible for writing and enforcing agreements for sub-processors to follow.

Types of sub-processors

Sub-processors come in many forms. The rise of cloud computing has made secondary processors more common.

For instance, a company may offer integrated business management tools to cloud customers. Examples could include HR or customer management systems from other vendors.

In this case, the cloud management company is a data processor. Third parties that integrate with its platform qualify as sub-processors. All sub-processors working with the cloud provider require Data Processing Agreements to handle information from data controllers.

Email marketing services can also qualify as sub-processors. Processors may use these companies to send marketing messages in line with GDPR principles. And companies often bring in IT partners to maintain their systems. If these IT partners have access to personal data, they are sub-processors under GDPR.

Differences between a GDPR data controller vs. data processor

GDPR sets out clear differences between controllers and processors. According to Article 4 of the regulations:

• A data controller decides the purpose of data gathering and how to collect data.
• A data processor executes data processing operations following instructions from the data controller.

Data processing in this context involves performing actions on personal data. Relevant actions could include collecting, storing, and classifying personal data. Any act that uses identifiable data from customers or website users falls under GDPR.

The definitions above show that controllers and processors have different compliance responsibilities.

Controllers have the tightest compliance requirements. They have an overall responsibility to ensure data gathering complies with GDPR. Every data protection controller must use DPIAs to assess processing partners. They are liable for severe fines when regulators detect privacy violations.

A data processor usually has lighter compliance responsibilities. They must document their processing activities and security policies. A data processor must assess systems to detect vulnerabilities. And they can be liable for smaller fines when violations occur.

It is important to understand that a data processor can also become a data controller. This happens when the data processor begins collecting or using data in ways without approval from the data controller. When this occurs, the compliance role of processors changes. The result can be much higher regulatory penalties.

The vital role of GDPR data controllers in protecting personal data

The General Data Protection Regulation has changed privacy practices across the world. Now, all companies doing business with EU residents must follow GDPR guidelines.

Companies that fail to comply suffer severe consequences. European regulators can fine businesses up to 4% of global turnover. GDPR breaches also harm brand reputations if customers perceive threats to their privacy. Non-compliance is not an option.

Data controllers have a special role in the GDPR compliance landscape. They are responsible for organizing data processing systems. Controllers ensure that data processing meets EU standards. They protect the privacy of customers when transferring data across borders. They obtain consent to share data if necessary. And they manage relationships with third-party data processors.

Companies should know their status under GDPR. If you collect data from customers directly, you are almost certainly a controller. If you work on behalf of organizations that collect data, you qualify as a data processor. And if you handle data at one remove from controllers, you qualify as a sub-processor.

Knowing your GDPR status makes it easier to create compliance strategies. Be aware that processors can become controllers without compliant privacy practices. And design contracts and risk assessments that determine organizational roles under GDPR.

With awareness and planning, companies can collaborate smoothly. They can share and transfer data and serve their customers efficiently. However, this can only happen when GDPR compliance is a corporate priority.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.