When is our organisation a data controller respectively a data processor? These definitions can be hard to understand and get a grasp of, but it is important if you want to fulfil obligations in the GDPR. We at GDPR Hero receive many questions regarding the assessment whether an organisation is a controller or a processor. In this blog post, we hope to give you the answer to this difficult but important question!
Published February 21th 2020
Updated November 30th 2023
Definition of data controller
The data controller is the one who decides for which purposes the personal data shall be processed. The data controller is the one who decides how, when and why the personal data will be processed. The data controller is usually a legal person and not e.g. a CEO or other employees. Natural persons can be data controllers in certain situations. One of those situations Is if a natural person has a company with individual ownership.
You are the data controller if you e.g. collect personal data regarding your employees (name, address, e-mail, salary) when you sign the employment contract. You are also the data controller if you collect personal data (name, e-mail) regarding your customers to administer a newsletter. The assessment can stop here if you do not send this personal data to another organisation. If you do send the personal data to another organisation that begins to process the personal data, this other organisation might be a data processor. The other organisation is a data processor if it processes the personal data on your behalf.
Definition of data processor
You might be a data processor if someone else determines the means of processing. The data processor is not within the same organisation as the data controller and processes the personal data on behalf of the data controller. The data controller is usually a legal person, as was the case with the data processor. Bear in mind that there are more possibilities than one, the relationship does not always have to be that between a controller and a processor. In some situations, the organisations can be joint controllers or individual controllers. You can read more about it here.
The following examples are situations when personal data is transferred between organisations. The transfer can be from a controller to a processor or from a controller to another controller.
1. Controller – processor
You have collected personal data regarding your employees. You hired an external company to manage the payment of salaries to your employees. Therefore, you transfer the necessary personal data to the other company. You decide the purpose of processing (the other company are only allowed to use the personal data to pay your employees salary on the 25th each month) and they process the data on your behalf (they have received the personal data and instructions on how they have to process it from you).
2. Controller – processor
You have collected personal data regarding your customers. The data is stored on servers supplied by a third party, an IT-company. The IT-company has a server room, where all the information is stored, and the company takes care of maintenance of your IT-systems. In this example, the IT-company does not have the possibility to decide the purpose of the processing and it is a data processor.
3. Controller – controller
You hire a lawyer to pursue your claim in court. In situations where the counterpart’s main performance according to the agreement is not to process personal data, the counterpart is most often not a processor. One example is the above mentioned, when you hire a lawyer. The agreement between you and the lawyer means that the lawyer is to help you with a legal issue. For the lawyer to be able to help you with this, he or she must process personal data from your organisation. In this situation, you do not decide what type of personal data or how it is to be processed, in this situation the lawyer is independent. However, you should do a case-by-case assessment.
To say it in other words, it is generally the controller that decides. However, the controller can delegate which means to use, that is to say how a processing should be carried out, to a processor without their relationship changing. Example of factors that indicate that the relationship is that between a controller and a processor are if one of the operators is required by law to perform a task, where processing of data is necessary, and the other operator does not have their own interest in processing the personal data.
The collaboration can sometimes mean that more than one processing is concerned. In these situations, it is important to identify the different processings and determine the relationship processor/controller for every processing. To determine the different processing’s, you can base your assessment in the purpose of the processing.
GDPR Hero – the tool to help you!
According to the GDPR, both controllers and processors are many times obliged to keep records about their processing activities and to regulate the relationship between them.
In GDPR Hero, you can easily enter all the companies you transfer personal data to or receive personal data from. You will also have support from us, through e-mail, chat or phone.
Feel free to book a demonstration to learn more about how you can become GDPR-compliant. You can book the demo here.