Skip links
data controller and data processor

Understanding Data Controller and Data Processor

Understanding the roles of Data Controller and Data Processor is important for maintaining data privacy. As data protection laws like the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) have become more important, the knowledge of the difference between these roles is essential for following the regulations and protecting individual’s privacy.

Data Controller

Definition

A Data Controller is the entity that decides for what purposes the personal data needs to be collected and the means of processing of such data. In simple words, the Data Controller decides why and how personal data will be processed.

Example

  • E-commerce Company like Amazon: Amazon decides what customer data to collect (e.g. names, addresses, payment information), how to process it (e.g. for shipping, marketing, and customer service), and the purpose for which the data will be used. Amazon is the controller because it determines how and why personal data is processed.
  • Healthcare Provider: A hospital collects and processes patient data (e.g., medical records, contact information) to provide healthcare services. The hospital decides what data is needed, how it is used, and for what purpose (e.g. treatment, billing, and medical research).

Key Responsibilities

  1. Determining the Purpose: The Data Controller decides the purpose for which personal data is collected and processed. They answer the “why” and “how” of data processing.
  2. Legal Basis: The Controller must ensure that there is a lawful basis for processing personal data, such as obtaining consent from data subjects or fulfilling a contract.
  3. Data Minimization: The Controller must ensure that the personal data collected is adequate, relevant, and limited to what is necessary for processing to fulfil the purpose.
  4. Transparency: The Controller is responsible for informing data subjects about how their data will be used, who it will be shared with and their rights under the law through Privacy Policy or Privacy Notice.
  5. Security Measures: The Controller must implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, or damage.
  6. Data Protection Impact Assessments (DPIAs): The Controller must conduct DPIAs when processing activities has high risks to data subject’s rights.
  7. Contractual Obligations: The Controller must establish Data Processing Agreements (DPAs) with the Data Processors they engage and clearly outline the Processor’s duties and obligations.
  8. Reporting Data Breaches: In the event of a data breach the Controller is responsible for reporting it to the relevant supervisory authority within the timeframe as provided under the applicable law and informing the affected individuals.
  9. Appointing a Data Protection Officer (DPO): If required by law, the Controller must appoint a DPO to oversee data protection activities and ensure compliance.

Data Processor

Definition

A Data Processor is an entity that processes personal data on behalf of the Data Controller. The Processor acts under the instructions of the Controller and does not have the authority to decide the purpose or means of processing.

Example

  • Email Marketing Service like Mailchimp: A business (Controller) uses Mailchimp to send marketing emails to its customers. The business provides the customer email list and content for the emails, while Mailchimp handles the actual sending and tracking of emails. Mailchimp is the Processor, acting on the Controller’s behalf.
  • A third-party IT service provider: A company (Controller) hires an IT service provider to manage and maintain its internal systems. The IT provider might have access to personal data within the systems, such as employee or customer data, but it only processes this data according to the Controller’s instructions.

Key Responsibilities:

  1. Following Instructions: The Processor must process data only according to the instructions given by the Data Controller through Data Processing Agreement. They do not decide why or how the data is processed.
  2. Security Measures: The Processor is required to implement security measures to protect the data they process, ensuring that it is safe from unauthorized access, loss, or damage.
  3. Assisting with DPIAs: The Processor must assist the Controller in conducting Data Protection Impact Assessments by providing required information about the processing activities.
  4. Maintaining Records: The Processor is responsible for keeping records of all processing activities they carry out on behalf of the Controller. These records should be available for inspection by regulatory authorities if needed.
  5. Reporting Data Breaches: The Processor must immediately inform the Controller about any data breaches so that the Controller can take appropriate action including reporting the breach to authorities if required.
  6. Subcontracting: If the Processor needs to engage another Processor (sub-processor), they must obtain prior written consent from the Controller and ensure that the sub-processor is also compliant with data protection laws.
  7. Contractual Obligations: The Processor is bound by the terms of the Data Processing Agreement established with the Controller, which outlines their specific duties and obligations.
  8. Appointing a DPO: If the Processor’s activities meet the criteria set by law, they must also appoint a Data Protection Officer to oversee data protection compliance.

Example of Data Controller and Data Processor

  • A marketing agency (Data Processor) sends out emails on behalf of a retailer (Data Controller). The retailer is responsible for ensuring that the emails comply with data protection laws, while the agency must follow the retailer’s instructions.
  • A cloud storage provider processes data for a healthcare provider. The healthcare provider, as the Data Controller, decides what data is stored and how it is used, while the cloud provider must securely store the data according to the provider’s instructions.

Legal Obligations

  • Data Controllers have a range of legal responsibilities, including ensuring that data is processed lawfully, transparently, and for a specific purpose. They must also provide individuals with information about how their data will be used and ensure that appropriate security measures are in place.
  • Data Processors are responsible for processing data according to the Data Controller’s instructions. They must also ensure the security of the data they process and notify the Data Controller if there is a data breach.

Data Processing Agreements (DPAs)

A Data Processing Agreement is a legal document that defines the relationship between the Data Controller and Data Processor. It explains how personal data should be handled, what security measures should be in place, and how data breaches should be managed.

Essential Clauses: These include the scope of processing, data protection measures, and obligations in case of a data breach.

General Clauses of a DPA includes:

  1. Definitions: It explains what key terms mean, like what personal data is, who the data controller and data processor are, and who the data subjects are.
  2. Purpose and Scope: It describes why and how the data will be used.
  3. Details of Data Processing: It specifies what data is being processed, how it will be handled, and for how long.
  4. Responsibilities of the Data Processor: It lists what the data processor must do to keep the data safe, how they must help the data controller respond to data subject requests, and what to do if there’s a data breach.
  5. Sub-processors: It covers whether the data processor can use other companies to help with processing and what rules they must follow.
  6. Data Transfers: It outlines how and when data can be transferred to other countries, making sure it’s done safely and legally.
  7. Audit and Inspection Rights: Grants the data controller the right to audit and inspect to make sure that the data processor is following the DPA and data protection laws.
  8. Termination and Data Return or Deletion: Specifies what happens to the personal data upon termination of the agreement, including requirements for returning or deleting the data.
  9. Liability: It sets out who is responsible if something goes wrong and how any damage will be handled.
  10. Governing Law: Specifies the legal jurisdiction and applicable laws governing the DPA.

A well-drafted Data Protection Agreement (DPA) ensures that both parties understand their roles and responsibilities for protecting data. This reduces the risk of not following the rules and potential data breaches.

Guidelines for Drafting: The DPA should be clear, comprehensive, and compliant with the relevant regulations. Both parties should review and agree on the terms to ensure that their responsibilities are clearly defined.

The Dual Role Scenario: When Can It Happen?

In-House Data Processing: An organization can act as both data controller and processor when they process personal data for their own purposes. For instance, a company collecting employee data for HR management is the controller of that data. Simultaneously, they process the data (e.g., for payroll) as the data processor.

Here are some real time illustrations of when a company can be both a data controller and a data processor:

1. Cloud Service Providers:

Companies like Google Cloud and Microsoft Azure offer cloud computing services. They act as data controllers when processing customer data for managing and securing their cloud infrastructure. Simultaneously, they act as data processors when providing services like data storage and computation, processing customer data on behalf of their clients.

2. Social Media Platforms:

Social media platforms like Facebook and Instagram act as data controllers when they determine how user data is used for targeted advertising and user’s engagement. These platforms also serve as data processors when their users upload, share, or store their personal data, with the platform processing the data on their behalf.

3. Email Service Providers:

Companies like Gmail and Outlook act as data controllers when they decide how to use user data for email services and advertising. At the same time, they act as data processors by processing and storing emails sent and received by users.

4. Payment Processors:

Payment processors like Google Pay, Amazon Pay act as data controllers when collecting and managing user information for payment transactions. They also act as data processors when processing payments on behalf of online merchants, handling customer financial data securely.

Even when fulfilling both roles, the entity must follow the specific duties of each role. As a data controller, they must make sure to comply with data protection laws, be transparent and fair, and respect data subject rights. As a data processor, they must process data only as instructed by the controller and put in place appropriate security measures.

Conclusion

Understanding the difference between Data Controllers and Data Processors is key to ensuring compliance with data protection laws. By clearly defining these roles and following legal obligations, organizations can protect individuals’ privacy and avoid significant penalties.