controller or processor

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’?

With this short and simple article, we will try to explain the basics of controllers and processors.

Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data.

If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.

Processors act on behalf of, and only on the instructions of, the relevant controller.

How do you determine whether you are a controller or processor?

You should be able to differentiate between controllers, joint controllers and processors so you understand which GDPR obligations apply to which organisation.

To determine whether you are a controller or processor, you will need to consider your role and responsibilities in relation to your data processing activities.

If you exercise overall control of the purpose and means of the processing of personal data – ie, you decide what data to process and why – you are a controller.

If you don’t have any purpose of your own for processing the data and you only act on a client’s instructions, you are likely to be a processor – even if you make some technical decisions about how you process the data.

What does it mean if you are a controller?

Controllers shoulder the highest level of compliance responsibility – you must comply with, and demonstrate compliance with, all the data protection principles as well as the other GDPR requirements. You are also responsible for the compliance of your processor(s) and should have signed relevant agreements with them. Those could be depending on circumstances Data Processing Agreement, Standard Contractual Clauses, etc.

Supervisory authorities and individuals may take action against a controller regarding a breach of its obligations.

What does it mean if you are a processor?

Processors do not have the same obligations as controllers under the GDPR. However, if you are a processor, you do have a number of direct obligations of your own under the GDPR.

Both supervisory authorities and individuals may take action against a processor regarding a breach of those obligations.

What does it mean if you are joint controllers?

Joint controllers must arrange between themselves who will take primary responsibility for complying with GDPR obligations, and in particular transparency obligations and individuals’ rights. They should make this information available to individuals.

However, all joint controllers remain responsible for compliance with the controller obligations under the GDPR. Both supervisory authorities and individuals may take action against any controller regarding a breach of those obligations.

Other useful resources on this subject: ICO, EU

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? A personal data breach is security incident that results in the accidental or unlawful destruction, loss,...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR Article 30 requires companies to keep an...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

Why businesses need Data Processing Agreement (DPA)? It’s practically not possible to run a business without processing personal data and...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for controllers that you can use to ensure you have considered most important...
GDPR Basics: Are you a Controller or a Processor?

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’? With this short and simple article, we will try to explain the basics of controllers...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...

Zpracovává vaše společnost osobní údaje?


Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje

 

Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 


Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?


Kas teie ettevõte kogub ja töötleb isikuandmeid?


Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?


Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data