GDPR Data Processor and Data Controller definitions

The General Data Protection Regulation (GDPR)  is a privacy law that protects the Personally Identifiable Information (PII) of residents of the European Union. While the law has a broad application, applying to businesses in and outside of the European Union, it generally applies to Data Processors and Data Controllers.  Processors and Controllers have a myriad of responsibilities under GDPR, such as the requirement to have a Privacy Policy, to process PII under a lawful basis, and to respect the rights of EU data subjects. In this article, we will discuss how GDPR defines Data Controller and Data Processor so that you can determine if GDPR applies to you and what your responsibilities are if it does. 

GDPR definition of Data Controller

GDPR defines “Data Controller” as a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of PII. What does it mean to determine the purposes and means of processing? Determining the means refers to the factual influence that the controller has over the processing operation. The following questions should be asked to determine whether influence exists: 

  • Why is the processing taking place? 
  • Who initiated the processing? 
  • Who benefits from the processing? 

Responsibilities of the Data Controller

The Data Controller has the primary responsibility for ensuring compliance with GDPR. If you are the Data Controller, you are responsible for implementing appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in compliance with this privacy law. These measures should take into account the following: 

  • Nature, scope, context, and purposes of the processing; and 
  • The risks of varying likelihood and severity for the rights and freedoms of natural persons due to your processing. 

You can determine the risks inherent to the processing of PII by performing a thorough risk assessment. You also hold the responsibility for ensuring that the privacy rights of data subjects are protected and respected and that your data processing operations comply with GDPR. 

GDPR definition of the Data Processor

GDPR defines a Data Processor as a natural or legal person, public authority, agency or other body which processes PII on behalf of the controller. Remember that processors still have to meet certain requirements under GDPR even if they are not definiding why and how that PII is processed. Data processors act in the interest of the data controller, meaning that the processor is serving the controller’s interest by carrying out a specific task and is following the instructions set out by the controller, at least with regard to the purpose and essential means of the data processing. 

Responsibilities of the Data Processor 

Data Processors have the following responsibilities under GDPR: 

  • Process PII in accordance with the instructions provided by the Data Controller; 
  • Receive the consent of the Data Controller prior to using any subcontractors; 
  • Have a contract with the Data Controller; 
  • Demonstrate compliance with the requirements of GDPR; and 
  • Implement appropriate security measures. 

Determining whether you qualify as the Data Processor or the Data Controller under GDPR will help you understand your requirements for complying with this law. Regardless of your position, you need to ensure that your processing is in compliance with the requirements of GDPR, meaning that you need to make sure that your website has a compliant Privacy Policy. Use Termageddon’s Privacy Policy generator to help you get GDPR compliant and avoid privacy-related fines.