Under the General Data Protection Regulation (GDPR), both data controllers and processors are held responsible for the personal data of EU citizens that they store and process, the details of which are presented in Chapter 4 of the regulation.
The official definition of data controller in the context of GDPR is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”.
In simple terms, data controllers are individuals or organisations that collect personal data, and determine why and how the personal data is processed. They are also the central figure when it comes to protecting the rights of the data subject.
Data processor, meanwhile, is defined as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. Or in other words, the people or organisations that data controllers hire or assign to process the personal data under their control. Although data controllers can also process personal data themselves, there may be situations where they would need to use an external service, provided by data processors, to process the data further.
While the previous EU directive only held data controllers liable for non-compliance, under the GDPR, data processors are also obligated to protect the data that they process and perform their processing duties in compliance with the GDPR or risk penalties themselves. However, the obligations and responsibilities expected of them differ depending on the category that they fall under.
Therefore, it’s important for organisations to understand the difference between data processors and data controllers and which category they fall under so that they are aware of their obligations under the GDPR, as well as the limits to what they can and cannot do with the personal data.
