Data controller vs. data processor: What is the difference?
Under the General Data Protection Regulation (GDPR), two essential roles are defined in relation to personal data: the data controller and the data processor.
While the roles of controller and processor are closely related, the distinction is important to ensure compliance with data protection policies.
What data controllers do
According to Article 4 of the GDPR, the data controller is the person or organization that decides on the means and purposes of data processing. He/she is responsible for ensuring that personal data is processed in accordance with the GDPR as well as other data protection regulations. As a rule, the data controller is also the company that collects personal data. However, in some cases, it is necessary to work with an external service to collect and process the data.
Example of a data controller
- A primary care practice adds a new client to its file. The practice independently determines exactly what data will be processed, in what way, and for what purpose.
Here comes the data processor
The data processor is the person or organization that processes personally identifiable information on behalf of the data controller. Processing can mean collection, structuring, storage, use, as well as disclosure of personally identifiable information (PII). Neither does this third party own nor control the data. Consequently, they cannot change the purpose and means of data processing. Data processors are completely subject to the directives of the data controller. Cloud providers or payroll services are examples of third-party data processors.
Example of a data processor
- To organize your next company party, you hire an external printing company to create invitations. To do this, you supply names and addresses of employees and customers. The print shop acts as a data processor.
Difference between data controller and data processor
There are some gray areas and dual roles under the GDPR. You may be both a data controller and a data processor.
However, the difference between these two roles is elementary, as the GDPR imposes different obligations on data controllers and data processors, as we explained in our article. Successful collaboration promotes compliance and prevents breaches of the rules and fines.