GDPR Data Controllers vs Processors

The European Union’s General Data Protection Regulation, 2018 (the “GDPR”) grants several rights to individuals with respect to their personal data by imposing responsibilities on organizations, in their respective capacities as data controllers or data processors.

The codification of the responsibilities of data controllers and data processors under the GDPR has widespread implications for businesses impacted by the GDPR’s requirements. This article discusses the roles and responsibilities of data controllers and processors as per the provisions of the GDPR.

What Does the GDPR Say About Data Controllers and Data Processors?

The GDPR defines a data controller as a legal or natural person, an agency, a public authority, or any other body that determines the purposes and means of processing personal data alone or in conjunction with others.

On the other hand, a data processor is a legal or natural person, agency, public authority, or other entity that processes personal data on behalf of a data controller.

The GDPR mandates that data controllers and data processors should comply with the provisions of the GDPR in their functions. It is important to note that the roles of data controllers and data processors are ‘functional’ in nature, with different responsibilities being allocated to each role.

Therefore, under the GDPR framework, the status of an entity as a ‘controller’ or a ‘processor’ should be determined as per a factual analysis conducted in light of their actual functions, rather than any formal designation associated with them.

What are the Key Differences Between Controller and Processor?

The substantive difference between data controllers and data processors lies in their functions.

Data controllers are entities that determine the means and purposes of data processing. They decide why data processing is required in a particular situation and how such an objective would be achieved. On the other hand, data processors conduct the function of processing in accordance with the instructions of data controllers.

It should be noted that while data processors may exert limited control over how the processing should be conducted, such as choosing a particular type of hardware or software or implementing detailed technical security measures, it is the data controller that determines essential aspects of the means of processing, such as the type of personal data to be processed, the duration of the processing, and the categories of recipients and data subjects.

As per Article 28(10) of the GDPR, if a processor determines the purposes and means of a processing activity, the processor shall be considered a controller in respect of that processing.

Who Can Be a Data Controller?

As per the definition of a ‘controller’ under the GDPR, there is no limitation on which entity might perform the role of a controller. A data controller could be:

• a private firm or any other legal body, such as an established organization, an associated partnership, or a government agency; or
• a professional individual, such as a sole partnership partner, a sole trader, or any self-employed professional.

In practice, it is usually an organization, and not an individual within such an organization, who performs the functions of a data controller. It is principally assumed that any processing activity that takes place within an organization is under the control of that organization.

Joint Controllers

As per Article 26 of the GDPR, where two or more data controllers collectively determine the purposes and means of data processing, they are called joint data controllers. Joint controllers are required to determine their respective responsibilities under the GDPR in a transparent manner by way of a legal arrangement between them, which should duly reflect the respective roles of the controllers with respect to the data subjects.

Such an arrangement should be made available to the data subjects and may include the details of a contact point for the data subjects. It is significant to note that irrespective of the terms of any such arrangement, the data subjects are entitled to exercise their rights under the GDPR in relation to and against each of the relevant data controllers.

Who Can Be a Data Processor?

Similar to data controllers, a data processor can be any entity, including an organization or an individual. A data controller may choose to engage multiple processors. A processor is a separate entity in relation to the controller, which means that an external organization should process personal data on behalf of the controller.

If a controller organization delegates data processing responsibilities to its own staff or departments, such staff or departments would not be construed as ‘processors’ in terms of the GDPR.

Further, the processor must process personal data on behalf of the controller. Even though a data processor is free to make daily operational decisions regarding the processing of data and may enjoy a certain level of discretion in choosing appropriate technical and organizational measures to serve the controller’s interests, a processor should implement the instructions of the data controller with respect to the purposes of processing and the essential aspects of means of processing. A processor may be held liable or fined if it fails to comply with the controller's instructions or the provisions of the GDPR.

Data subjects have the right to claim against data controllers and data processors if their rights under the GDPR are infringed due to non-compliance by a data controller or data processor. Thus, data processors must always ensure that they must adhere to the instructions of, or the contractual terms as agreed with, the controller.

What Is a Sub-Processor According to the GDPR?

The GDPR does not define the term “sub-processor”, however, where a data processor decides to outsource part or all of its data processing obligations to a third party with the prior written authorization of the controller, such third party may be referred to as a “sub-processor.”

The data processor remains entirely accountable to the data controller for the activities of the sub-processor. Under the GDPR, the same data protection obligations should be imposed on the sub-processor, as imposed on the processor through a contract with the controller or any other legal act under the applicable law.

What are Data Controllers’ Responsibilities?

Article 24 of the GDPR mandates the data controller to take into account the nature, scope, context, and purposes of any processing activity and the risks posed to the rights and freedoms of natural persons, and consequently implement such appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the requirements of the GDPR.

Under Article 5 of the GDPR, data controllers are responsible for and must be able to demonstrate compliance with the principles of data processing, that is, lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.

Data controllers should also ensure that all processing activities based on consent are lawful and the consent is duly obtained and validly subsisting in accordance with the GDPR. Controllers are also obligated under the GDPR to provide data subjects with specified information where personal data have been obtained in relation to them.

Controllers should also facilitate the exercise of data subjects’ rights and provide timely information on actions taken in response to any requests regarding data subjects’ rights.

The controllers should use only those processors which provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR and protect the rights of the data subjects.

The controller may rely on adherence to approved codes of conduct, as referred to in Article 40 of the GDPR, or approved certification mechanisms, as referred to in Article 42 of the GDPR, as tools that demonstrate compliance with its obligations under the GDPR.

What are Data Processors’ Responsibilities?

Under the GDPR, data processors are required to provide sufficient guarantees to implement appropriate technical and organizational measures to ensure that all processing activities meet the requirements of the GDPR and protect the rights of the data subject.

The responsibilities of a processor are outlined in a contract between the processor and controller, or defined through any other legal act. Such instruments should, in writing, outline the subject matter, duration, nature, and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. The instruments shall further stipulate that the processor should:

• process the personal data only on documented instructions from the controller, unless required to do so under the applicable legal framework, in which case, the processor shall inform the controller of such requirement before processing, unless such communication is prohibited on important grounds of public interest;
• ensure that persons authorized to process the personal data are under an obligation of confidentiality;
• take all measures required for the security of processing, as specified in Article 32 of the GDPR;
• respect requirements of the GDPR in relation to engaging a sub-processor;
• taking into account the nature of the processing, to the extent possible, assist the controller through appropriate technical and organizational measures for the fulfillment of the controller’s obligation to respond to requests in relation to the data subjects’ rights;
• assist the controller in ensuring compliance with obligations in relation to conducting DPIAs, issuing personal data breach notifications, and security of processing, taking into account the nature of processing and the information available to the processor;
• at the choice of the controller, delete or return all the personal data to the controller upon expiry of termination of its services, and delete existing copies unless the applicable law requires storage of the personal data; and
• make available to the controller all information necessary to demonstrate compliance with the obligations specified above, and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. In this respect, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR or any other applicable law.

Data Protection Impact Assessments

Where a processing activity (in particular, usage of new technologies) is likely to result in a high risk to the rights and freedoms of natural persons, the controllers are required, prior to the processing, to carry out an assessment of the potential impact of such processing activity on the protection of personal data, in accordance with Article 35 of the GDPR (a “Data Protection Impact Assessment” or “DPIA”).

Records of Processing Activities

Data controllers are required to retain records of their processing activities. The RoPA might consist of:

• the controller's name and contact information;
• the purposes of the processing;
• a summary of the various types of personal data and data subjects;
• the groups of third parties which have received or may receive personal data;
• the parties to which the personal data has been or will be transferred, as well as information on the security measures used;
• the anticipated time limits for the deletion of the various types of data; and
• a detail of the organizational and technical security protocols implemented to protect the data's integrity and confidentiality.

Privacy by Design and Privacy by Default

To ensure compliance with data protection by design and data protection by default, controllers must, at the time of determining the means of processing, implement such technical and organizational measures, which effectively mitigate the risks posed to the rights of the data subject as a result of such processing activity.

Further, the controller has a continued obligation throughout the processing activity to monitor changes in the nature, scope, or context of the processing or risks posed to the data subjects, to ensure that appropriate and timely measures are employed to protect the rights of the data subjects.

Under the data protection by default framework, controllers should implement such privacy-oriented processing settings by default, which limit the processing of personal data to that necessary in accordance with predetermined and specified purposes.

Data Protection Officers

Article 37 of the GDPR mandates both controllers and processors to designate data protection officers (the “DPOs”) in cases where:

1. the processing is carried out by a public authority or body (except for courts acting in their judicial capacity),
2. the core activities of the controller or processor consist of such processing operations which, by virtue of their nature, scope and/or purpose, require regular and systematic monitoring of data subjects on a large scale, or
3. the core activities of the controller or processor consist of processing on a large scale of special categories of data as specified in Article 9 of GDPR or personal data relating to criminal convictions and offenses as referred to in Article 10 of GDPR.

Personal Data Breach Notification

In the event of a personal data breach, data controllers are required to notify both the supervisory authority and the data subjects in accordance with Articles 33 and 34 of the GDPR.
While data processors are not required to directly notify the regulatory authority or impacted data subjects, Article 33 of the GDPR requires them to notify the data controllers of a breach without undue delay upon becoming aware thereof.

International Data Transfers

Any personal data transfers to another country outside the European Union can take place only when an adequate level of data protection is ensured or there are safeguards in place to ensure the level of protection is essentially equivalent to that currently guaranteed inside the EU. These safeguards include binding corporate rules, standard contractual clauses (SCCs), and ad-hoc contractual clauses.

While relying on SCCs as a cross-border transfer tool, processors must adhere to the documented instructions of the data controller regardless of whether the controller is the importer or exporter of the data. In controller-to-processor agreements, any data breach has to be reported by the importer processor to the controller exporter.

In addition, processors are required to ensure that any onward transfer of the transferred data is subject to specified, explicit and legitimate purposes and such onward disclosure of personal data to a third party can only take place if the data importer is instructed to do so by the data exporter controller. Moreover, data importers must utilize sub-processors only with the authorization of the controller.

How Does Securiti Help?

By harnessing the power of artificial intelligence, Securiti enables enterprises to comply with the GDPR’s requirements. Securiti is the leading provider of ‘Data Command Center’ that stands for security, privacy, governance and compliance. Its Data Command Center solution offers complete visibility and controls over data across hybrid and multi-cloud environments.

DSR automation, documented accountability, better visibility into data processing operations, automated PI data linking, and other GDPR-compliant worthy features are deeply integrated into Securiti’s ecosystem.

Learn more about how to become GDPR-compliant. Request a demo today.