Under the European General Data Protection Regulation (GDPR), your responsibilities and duties can vary from being a data controller or a data processor.
In this guide, we explain the difference between a data controller vs data processor and what are your duties in each case.
Under the GDPR, a data controller is defined as “any person or legal entity involved in determining the purpose and ways of processing the personal data.” In simpler terms, it’s the person or entity that decides what data should be collected and processed and why.
In the eyes of the law, the controller is the main person responsible for GDPR compliance in his organization and the one who is liable in case of non-compliance. His duties are, among others:
The GDPR defines the data processor as “any person or legal entity involved in processing personal data on behalf of the controller.” So, processors are basically entities chosen by the controller to handle part of the processing on their behalf.
The data controller and the data processor sign a contract – called Data Processing Agreement. This contract defines what the processor is responsible for and the conditions of the processing.
While the main responsibility for compliance starts with the data controller, data processors still have duties and responsibilities, as outlined in Article 28 of the GDPR:
This doesn’t mean that data processors aren’t liable for anything. For example, if a data subject believes that his data has been processed unlawfully, he can seek compensation from either the data controller or the data processor.
The main difference between GDPR data controller vs data processor lies in their role: the data controller decides what data should be collected and how it should be processed, while the data processor handles the processing on the controller’s behalf.
Let’s look at a few examples of data controllers and processors to better understand the difference.
In all these cases, both the data controller and processor need to sign a Data Processing Agreement, which defines the extent of their agreement.
Like many website owners, you may use Google products on your website or in your organization. So, you may be wondering: is Google my data processor?
The answer is, it depends.
Google acts as a data controller when it comes to the data it collects and processes for its own purposes. Some of this data may also come from your website if you use tools like Google Ad Manager or YouTube.
Google states: “We operate as a controller because we regularly make decisions on the data to deliver and improve the product”.
In other cases, Google can act as your data processor. For example, if your organization uses Google Workspace or Google Cloud, Google is your data processor – meaning that they can’t process your data for their own purposes, and you’ll need to enter a Data Processing Agreement with them.
We have just what you need!
We’ve created a handy DOC template that you can download and adapt to your activity.
Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.
