So are you a data controller or a data processor? It’s important to understand this distinction as it defines your responsibilities under EU data protection law. Previously, data processors could avoid direct liability under the law but new obligations under the GDPR changes things.
Here, we’ll explain these changes, help you correctly identify whether you fall into the processor or controller camp and outline the obligations that apply to your organisation.
What is a data controller?
The data controller is the person or body who determines the purposes and means of processing personal data. In plain English, you decide what the data is for – and what’s going to happen to it.
Personal data is essentially any information that could identify a European citizen. It includes basic ID information such as names, addresses, telephone numbers, driving licence numbers, credit card details and web identifiers (such as usernames). It also includes sensitive (or special category) personal data such as genetic and biometric information.
So let’s say you run an e-commerce business. You’re going to collect the ID, contact and payment details of customers. The primary purpose of this is pretty obvious; to execute orders! You might have secondary purposes in mind, too; making future sales predictions and telling existing customers about new offers, for instance. In this example, the “means of processing” might be via a Cloud-based CRM system.
Can a data controller be a company or an individual?
A controller can be a company or other legal entity (such as an incorporated partnership, association or public authority), or an individual (including a self employed professional). However an individual processing personal data for a purely personal or household activity is not subject to the GDPR.
What is a data processor?
Data processing is a very wide term that basically means anything that is done to or with personal data. You might collect it manually or automatically, analyse it, use it for marketing or research purposes, or store it on behalf of someone else. In all of these situations you are “processing” that data.
A “processor” has a very distinct meaning under the GDPR. This refers to a person or body who is separate from the data controller (i.e. not an employee) and who processes personal data on behalf of that data controller. In other words, the controller gives the processor a specific job to do – and the processor does it.
Back to the example of the e-commerce business. It offers an extended warranty period on its goods. In order to keep track of any claims that might arise from this, it has decided to keep all customer purchase records for a period of three years. It hires a company to store this data on its behalf via an online archive system. This company is a “data processor” on behalf of the e-commerce business.