Differences between a GDPR Data Controller vs. Data Processor
If you are just starting out on your GDPR journey, understanding the key differences between a data processor and a data controller is an important concept to grasp. In large part, the data controller is the one that collects or possesses the data, and the processor is a third-party engaged by the controller to do data processing.
Three definitions from Article 4 should help speed your understanding of processors and controllers along:
A data controller determines the purposes and means of the processing of personal data.
A processor engages in personal data processing on behalf of the controller.
Processing involves any operation (or set) performed on personal data (such as, but not limited to, collection, structuring, storage, use or disclosure).
The organizations play different roles with respect to the data. The controller gets to call the shots. The processor follows the instructions of the controller and performs the operations requested. If the organizations are jointly determining processing, then they are considered joint controllers under the law.
Example of a Data Controller and Data Processor
Here is an example to help reinforce the differences conceptually:
A website collects personal data from a customer located in the European Union during the customer’s purchase of a product. The personal data includes identifying information such as the customer’s name, address and phone number. After all, the product has to be shipped to the purchaser in Europe.
The operator of the website uses a third-party warehouse to store and ship the products on its behalf. In order to make sure the packages get to the right place, the website operator sends the warehouse the customer’s name and address. The warehouse then ships a package, including the purchased product, to the consumer.
The website operator is the controller. They collect the data and determine how it is processed. The warehouse is the processor. They receive the data from the controller and use it to mail the package.
There are some overlapping requirements in GDPR that apply to both data processors and data controllers. However, there are a number of areas where the responsibilities are different.
What are the key differences between a GDPR data processor vs. data controller?
– The data controller gives instructions for processing to the data processor. The processor cannot process personal data except upon the instructions of the controller. If a processor unlawfully processes personal data without instructions, they may be considered a controller instead.
– The controller is responsible for implementing measures to ensure that processing occurs pursuant to GDPR. The processor is tasked by the text of the privacy law with helping the controller with certain tasks, including information necessary to demonstrate compliance. The processor must also immediately tell the controller if an instruction violates GDPR.
– The controller is responsible for carrying out Article 35 Data Protection Impact Assessments (DPIAs), if necessary. The processor is charged with assisting the controller in carrying out the obligation by Article 28.
– The controller can engage any processor that meets the vendor management requirements imposed by GDPR and agrees to an appropriate written contract for processing. The data processor may only engage processors that are approved or based upon the instructions of the controller.
Improve Data Privacy for GDPR or CCPA with Clarip
The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software.
Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
Vendor Risk Management Software
GDPR Vendor Management & Third Party Privacy Risk Assessment
Risk and Control Self Assessment Framework for Privacy
Vendor Audit Process
Service Providers and the CCPA Right to Opt Out
GDPR Data Processing Agreement under Article 28
What is a Data Processor under GDPR?