The Difference Between Data Controllers and Data Processors

In the realm of data protection and privacy, understanding the roles of the different data parties from controllers to processors to subjects is crucial. These roles dictate responsibilities and obligations regarding the handling of personal data in a manner compliant with the relevant laws. Let’s delve into the definitions, responsibilities, and the rights of data controllers, data processors and data subjects.

Data Controllers

A data controller is the entity that determines the purposes, conditions, and means of the processing of personal data. They are typically the organization that collects personal data directly from data subjects and determines how and why that data is processed.

Responsibilities of a Data Controller:

1. Determining Data Processing Purposes: Data controllers decide why and how personal data is processed. They must ensure that processing activities comply with data protection laws and regulations.
2. Compliance: Data controllers are responsible for ensuring that all processing of personal data is done lawfully, fairly, and transparently.
3. Data Subject Rights: Data controllers must enable data subjects to exercise their rights, including the right to access, rectification, erasure, and data portability.
4. Data Security: While data processors handle the technical aspects, data controllers are ultimately responsible for the security of personal data and must implement appropriate measures to protect it.

Data Processors

A data processor is an entity that processes personal data on behalf of the data controller. They act upon the instructions of the data controller and may be a third-party service provider or an internal department within an organization. Examples include cloud service providers, IT companies, or payroll processing firms.

Responsibilities of a Data Processor:

1. Processing Data: Data processors handle personal data as instructed by the data controller. They must ensure compliance with data protection regulations.
2. Security: It is the responsibility of data processors to implement appropriate technical and organizational measures to safeguard personal data against unauthorized access, disclosure, alteration, or destruction.
3. Confidentiality: Data processors must ensure that individuals authorized to process personal data do so only according to instructions provided by the data controller and that they are bound by confidentiality obligations.
4. Assistance to Data Controller: Data processors must assist the data controller in fulfilling their obligations concerning data subject rights, such as access, rectification, erasure, and data portability.

Joint Controllers

In some cases, two or more entities may jointly determine the purposes and means of processing personal data. These entities are referred to as joint controllers. Joint controllership typically arises in situations where multiple organizations collaborate on a project or share responsibility for processing personal data.

Responsibilities of Joint Controllers:

1. Agreement on Responsibilities: Joint controllers must establish a clear agreement regarding their respective responsibilities for complying with data protection laws and ensuring the rights of data subjects.
2. Communication with Data Subjects: They should inform data subjects about their joint controllership arrangement, including how their personal data is being processed and who to contact for exercising their rights.
3. Coordination: Joint controllers should coordinate with each other to ensure consistent and effective implementation of data protection measures, such as data security and responding to data subject requests.
4. Liability: Each joint controller may be held liable for their own actions in relation to data processing activities, as well as for any breaches of data protection laws that occur within their sphere of responsibility.

Understanding the concept of joint controllership is essential for organizations engaged in collaborative data processing activities to effectively manage their responsibilities and comply with data protection regulations.

The concept of joint processors is not explicitly defined in most data protection regulations like the GDPR (General Data Protection Regulation). However, it’s possible for multiple entities to jointly act as data processors when they collaborate to process personal data on behalf of a data controller.

In such cases, each entity may have specific responsibilities for processing the data, but they operate under the instructions and authority of the data controller. However, the legal framework typically focuses on joint controllership rather than joint processorship, as joint controllers have more substantial decision-making authority and responsibilities regarding the processing of personal data.

If multiple entities are collaborating as data processors, it’s essential for them to establish clear agreements regarding their respective roles and responsibilities, data security measures, and compliance with data protection regulations, even if the term “joint processor” is not explicitly used in the legal context.

Data Controller & Data Processor Contracts

What is the controller-processor contract for?

The contract between controllers and processors plays a crucial role in ensuring the protection of personal data and compliance with data protection regulations, such as the GDPR. This contract serves as a legal mechanism to formalize the relationship between the data controller (or joint controller) and the data processor, outlining each party’s responsibilities and obligations regarding the processing of personal data. By clearly defining these roles and expectations, the contract helps to mitigate risks, establish accountability, and safeguard the rights of data subjects. Overall, the contract between controllers and processors is essential for fostering trust, accountability, and compliance in data processing activities.

What should be included in a controller-processor contract?

The agreement between the controller, or joint controller, and the processor should outline specific obligations for the data processor. These include ensuring that the processor:

• Processes personal data solely based on the instructions provided by the data controller, including any transfers of personal data.
• Ensures that individuals authorized to process data are bound by confidentiality obligations or statutory duties of confidentiality.
• Implements appropriate security measures to safeguard the processed data.
• Obtains prior written authorization from the data controller before engaging another data processor, allowing the controller the opportunity to object if necessary.
• Assists the data controller in fulfilling obligations related to individuals’ requests to exercise their rights under data protection laws.
• Provides assistance to the data controller in securing processing activities, notifying data breaches, and conducting Data Protection Impact Assessments (DPIAs).
• Upon the data controller’s request, deletes or returns all personal data after the termination of service provision.
• Supplies the data controller with necessary information to demonstrate compliance with regulatory obligations.
• Facilitates and cooperates with audits and inspections conducted by the data controller or an authorized auditor.

Data Subjects and Their Rights

Data subjects are individuals whose personal data is being processed. They have certain rights regarding their personal data, including:

1. Right to Access: Data subjects have the right to obtain confirmation as to whether or not their personal data is being processed and, if so, access to that data.
2. Right to Rectification: Data subjects can request the correction of inaccurate or incomplete personal data.
3. Right to Erasure: Also known as the “right to be forgotten,” data subjects can request the deletion of their personal data under certain circumstances.
4. Right to Data Portability: Data subjects can request to receive their personal data in a structured, commonly used, and machine-readable format, and, if feasible, transmit that data to another data controller.
5. Right to Object: Data subjects have the right to object to the processing of their personal data in certain situations, such as direct marketing.

Understanding the distinctions between data processors, data controllers, and the rights of data subjects is essential for organizations to navigate data protection laws effectively and ensure compliance while respecting individuals’ privacy rights.

An Example of Data Subject vs Data Controller vs Data Processor

Let’s break down the roles in the context of booking a hotel room:

Data Subject:

• The person making a reservation at the hotel. They provide personal information such as their name, contact details, and payment information to secure their booking.

Data Controller:

• The hotel itself. It determines the purposes and means of processing the personal data provided by the guest. This includes collecting the data, managing reservations, providing services during the stay, and ensuring compliance with data protection laws.

Data Processor:

• A third-party booking platform that the hotel uses to manage reservations. The booking platform receives the guest’s personal data and processes the reservation on behalf of the hotel. However, it does not decide how the data will be used beyond facilitating the booking; it simply follows the instructions provided by the hotel (the data controller) to manage the reservation effectively.

In this scenario:

• The guest making the reservation is the data subject, providing personal data for the booking.
• The hotel is the data controller, determining how the personal data will be used throughout the reservation process and ensuring compliance with data protection laws.
• The third-party booking platform is the data processor, handling the personal data on behalf of the hotel to facilitate the reservation process efficiently.

More about HONOS

At HONOS, we specialize in custom-built data privacy and data protection solutions for businesses of all sizes. Our services range from policy development, assessments, and privacy program development and management to providing fractional Data Protection Officers (DPOs) and Chief Privacy Officers (CPOs), as well as breach planning and response. By partnering with HONOS, organizations can ensure that they have the expertise and support they need to navigate the complexities of data protection laws and regulations. Whether you’re a data controller, data processor, or both, HONOS is here to help you safeguard personal data and maintain compliance with confidence.