What is the difference between a data controller and a data processor?

The GDPR, among other things, clarifies the definition between a data controller and a data processor. The difference between them lies in the decision-making power with regard to data processing.


The GDPR introduced a number of guidelines, procedures and processes relating to the handling of personal data with effect from 25 May this year. Among other things, it defines so-called data controllers and data processors.

Although these functions were previously in the legislation, the GDPR clarifies them. So what is the difference between a data controller and a data processor? In a nutshell, it depends on whether you have the power to make decisions about data processing.

Data controller

A data controller is an entity under the GDPR that has the power to determine the purposes and means of processing personal data. It does so by collecting, processing and storing personal data. The controller is primarily responsible for the processing of personal data.

In order to process personal data at all, the controller must dhave a proper legal basis for processing that data. It must also be able to secure the data sufficiently.

Personal data processor

The processor of personal data may be a natural or legal person, a public authority, an agency, or any other entity that processes personal data on behalf of the controller. Unlike a controller of personal data, a processor may only carry out operations which the controller entrusts or which result from the tasks it has received from the controller.

Summary

It is clear from the above paragraphs that the controller authorises the processor and instructs it as to why and how it will process personal data.

The processor may only act in accordance with the controller's instructions. It does not have any right to determine the purpose of the data processing, to use the data or to disclose the data.

The data controller's rights are set out in the data protection information.

Have you been in a situation when processing personal data where you were unsure whether you were on the side of the controller or the processor of the personal data? Or on the contrary, do you feel that your controller or processor is acting in breach of the GDPR? Do not hesitate to contact us, we will be happy to discuss everything with you.