GDPR defines a data controller as: “a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing.” … The data controller will decide the purpose for which personal data is required and what personal data is necessary to fulfil that purpose
The data controller determines the purposes for which and the means by which personal data is processed. So, if your company/organisation decides ‘why’ and ‘how’ the personal data should be processed it is the data controller.
Employees processing personal data within your organisation do so to fulfil your tasks as data controller.
Your company/organisation is a joint controllerwhen together with one or more organisations it jointly determines ‘why’ and ‘how’ personal data should be processed. Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with the GDPR rules.
The main aspects of the arrangement must be communicated to the individuals whose data is being processed.
The data processor processes personal data only on behalfof the controller. The data processor is usually a third party external to the company. However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking.
The duties of the processor towards the controller must be specified in a contract or another legal act. For example, the contract must indicate what happens to the personal data once the contract is terminated. A typical activity of processors is offering IT solutions, including cloud storage. The data processor may only sub-contract a part of its task to another processor or appoint a joint processor when it has received prior written authorisation from the data controller.
One of the questions that raised the most questions for the organisations working on the EU GDPR implementation was what the differences between data controller and data processor under GDPR were.
There are however situations where the role can be a data controller, or a data processor, or both.
According to Article 4 of the EU GDPR, different roles are identified as indicated below:
- Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
- Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
So, the organisations that determine the means of processing personal data are controllers, regardless of whether they directly collect the data from data subjects. For example, a bank (controller) collects the data of its clients when they open an account, but it is another organisation (processor) that stores, digitizes, and catalogues all the information produced on paper by the bank. Both organisations (controller and processor) are responsible for handling the personal data of these customers.