The GDPR imposes obligations on both controllers and processors of personal information. But these responsibilities are different, with controllers subject to the most wide reaching obligations. Organisations need to know their status for each processing activity they undertake as failure to comply with the relevant obligations is a breach of the GDPR. This may attract fines or other penalties imposed by supervisory authorities (the ICO in the UK) and even court action for damages by individuals whose privacy rights have not been upheld.
Controllers and joint controllers and processors, oh my!
A controller is the party which determines the purposes and means of the processing of personal information.
Controllers are responsible for GDPR compliance and they have primary responsibility for the protection of the privacy rights of individuals. If they engage a processor, they remain ultimately accountable to the supervisory authorities for GDPR compliance of their processing. They cannot outsource that responsibility to their processors. Controllers must appoint any processors by written contract containing compulsory terms governing specific areas of GDPR compliance.
Note that controllers are responsible for paying the annual Data Protection Fee to the ICO.
Two or more controllers who jointly determine the purposes and means of processing. Two or more controllers are not joint controllers if they process the same personal information for different purposes.
Joint controllers must have a ‘transparent arrangement’ between them which apportions responsibility for their obligations under the GDPR (particularly those concerning the rights of individuals). This must be made available to individuals and the ICO recommends it is included in privacy policies. Regardless of what has been decided in terms of who is responsible for which GDPR obligation, each joint controller remains liable to the supervisory authorities and to individuals for compliance with all of the controller obligations in the GDPR.
A processor is a party which processes personal data on behalf of the controller. A sub-processor is someone who the processor has outsourced some or all of the processing to eg. a cloud service to store personal information.
Processors’ obligations under the GDPR are more limited than controllers’. They must act in accordance with the controller’s written instructions (unless otherwise required by law). If a processor acts against or without the controller’s instructions, it will be deemed to be the controller for that part of the processing and will have the same, more extensive, GDPR liability as controllers.
How to tell whether you are a controller or a processor
This depends ultimately, on who decides the purposes for which personal information is processed and the means of processing. The ICO provides useful checklists to help organisations determine whether they are a controller, joint controller or processor for any particular processing activity.
This exercise must be carried out for all the different processing activities an organisation is involved in. This is because many organisations will be acting as a controller, a joint controller and a processor all at the same time in respect of different processing activities. You should record your status for each one of your processing activities. Identifying your role in processing personal information is a vital step in your GDPR compliance and organisations using the Privacy Compliance Hub know how to do this.