In the journey to compliance with the General Data Protection Regulation of the European Union, one of the most crucial aspects is determining the role your organization has to play. Is it a controller, joint controller, or a processor? Depending on the answer, your obligations under the GDPR will be very different. Our team at Xcure is determined to help you find these answers and become compliant.
In the journey to compliance with the General Data Protection Regulation of the European Union, which came into force in 2018, one of the most crucial aspects is determining the role your organization has to play. Is it a controller, joint controller, or a processor? Depending on the answer, your obligations under the GDPR will be very different.
Our team at Xcure is determined to help you find these answers and become compliant. Because of this, we now explain what controllers and processors are, the main differences between them and their obligations. This article is part of our special data protection law series, so don’t forget to follow us on LinkedIn to get all of our updates!
Who is considered a controller or a processor under the GDPR?
A controller is defined as a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. This means that if your organization is the one deciding the whys and hows of the processing, it is considered a controller.
If it is doing so with other organizations, using the same data set and operating together, it will be a joint controller. If you hold the same data, but each organization has its own purpose and is able to determine how the processing is done, they will be regarded as independent controllers.
On the other hand, a processor is a “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. It is possible that processors can have a degree of decision on the technical and organizational aspects of the processing.
It is important to note that under the GDPR what matters is the practical implementation. Even if there is a contract stating that your organization is only a processor, for example, but in practice you are determining the purpose or means of the processing, the supervisory authority might decide that you are a controller and should be treated as such.
Do controllers and processors have different obligations?
Controllers and processors have many points in common, such as:
- The possibility of being either natural or legal persons
- Being accountable under the GDPR
- Responsibility for the security of personal data and for international data transfer law
- Being subject to fines and compensations in case of violation.
Nevertheless, since controllers are the ones determining the main aspects of the processing of personal data, the Regulation gives them most of the responsibility for it. Here are some of the main areas in which their obligations are different from that of processors:
The legal basis and purposes of the data processing: Controllers are the ones tasked with determining the legal basis for the processing and its purposes. The GDPR brings six possible bases - consent, contract, legal obligation, vital interests, public task, and legitimate interests. Controllers are also responsible for documenting this process.
Data subject rights: If a data subject makes any request regarding his or her rights, the controller is responsible for replying to it. This includes the rights to access, rectification, erasure, portability and restriction of processing. Failing to do so constitutes a serious infringement.
Data breach: In the event of a breach of security, controllers will have to determine if it constitutes a data breach and if it poses risk to the rights and freedoms of data subjects. They must also inform the relevant supervisory authority within 72 hours and, depending on the case, the subjects affected. Processors do not have such obligations. If a breach occurs, they must inform the controller, who will take the necessary steps to resolve the situation.
Principles of data processing: GDPR brings six principles of data protection, and controllers are in charge of making sure that they are respected. This includes, for example, ensuring that data is processed with a legal basis and in a transparent way (principles of lawfulness, fairness and transparency), and that data is used only for the purposes it was collected for (principle of purpose limitation). Data must also be accurate and kept up-to-date (principle of accuracy).
Finally, the GDPR also brings some duties that are exclusive to processors, namely:
- Act only based on the written instructions of the controller
- Ensure that individuals processing personal data are subject to a duty of confidence
- Assist the data controller in handling requests from data subjects and supervisory authorities, as well as with the notification of data breaches
- Delete or return as the personal data upon request from the controller or after the end of their contract
- Submit to audits and inspections.
Understanding the different roles organizations play under the GDPR is essential to make your organization compliant with the Regulation. Do you know what else is helpful in this process? Following our new data protection law series on LinkedIn and trying out for free the Privacy Management Tool, with which you can map, document and maintain the requirements of data protection in your company!
Contact Xcure team, if you want more information or presentation about the Privacy Management Tool.