Are you the controller or processor of personal data? Are you really clear about this?

We believe that you are already experienced and experienced in the topic of GDPR. But we have decided to focus again on one important topic - data controller vs. data processor. Just in case.

If you know whether you fall into the category of data controller or data processor, you have the key to GDPR compliance. In fact, there is a very significant difference in the two terms. And if you know with clarity where you stand, then you need to document everything. The ultimate responsibility for ensuring that data subjects' rights are exercised and legal liability ultimately always rests with the controller.

Most commonly, the following three relationships can occur between two organisations processing personal data:

The controller versus the processor of personal data

  • The controller instructs the processor on how to process the personal data.
  • The processor must act only and only on the basis of instructions from the controller and must not use or disclose the data itself.
  • The controller is the person named in the privacy notice.
  • If the controller works with a processor, it is the controller's responsibility to have a binding agreement in place to address the conditions set out in the GDPR regulation.
  • If you are still unsure, then perhaps an example from practice will help. If your payroll is processed by an external accountant, then you are the controller and the accountant is the processor in that relationship.

Common data controllers

  • In this case, the controllers decide jointly on the processing of personal data.
  • The joint controllers may also process the same data or use each other's data for their own purposes.
  • The privacy notice must identify all data controllers
  • It is necessary for controllers to agree on their obligations and boundaries. This should be a formal arrangement in the form of a contract or data sharing agreement.

Example from practice: You hire an experiential events company. This company will organise a subsidised skydive. In this case, you need to treat the handling of personal data.

Data Controllers

  • This is usually a situation where one organisation will provide data to another organisation, but each will process the data independently of the other and for its own purposes.
  • Both organisations are required to provide privacy information to data subjects.
  • Each of these organisations is responsible for compliance with the GDPR.

An example from practice might be where an employer has a pension provider for its employees.

When processing personal data, have you found yourself in a situation where you were unsure whether you were on the side of the controller or the processor of the personal data? Do not hesitate to contact us, we will be happy to discuss everything with you.