Chapter 3: Data Controllers vs. Data Processors

Data Controllers vs. Data Processors

A crucial aspect of the GDPR is the difference between a data controller and a data processor. Luckily, the distinction is fairly easy to understand and remember.

Basically, a data controller is the one who decides what data is collected and how that data will be processed. Data controllers usually collect the data for purposes they decide and manage, and are responsible for ensuring that it is handled properly. Data controllers are often also data processors, but can also use a separate data processor.

A data processor takes information that has been collected by a data controller and then uses it to complete a task or tasks on behalf of the data controller. The data processor must obey the data controller and only process data in the ways that they have been instructed. Data controllers are similar to managers who guide and oversee the work of data processors.

Imagine an ecommerce website that utilizes a third-party payment processor.

When a user decides to make a purchase from the website, the website handles the majority of the transaction but hands of the payment information to the third-party processor. The ecommerce website is the controller in this scenario because it facilitates the sale between the buyer and decides what is done with the customer's data.

The ecommerce website doesn't actually process the payment data though. Instead, the third-party payment processor handles the actual data processing at the direction of the data controller.

In the above example, the ecommerce website manages the transaction and collects the payment information from the data subject. It then transfers that information to the third-party payment processor with instructions on what to do with that data.

The payment processor only acts according to the instructions of the website with the data provided to it. In this scenario and example relationship, the ecommerce website is the data controller and the third-party payment processor is the data processor.

By and large, both data controllers and data processors must abide by many of the same rules. They are required to handle personal data a certain way, have adequate safeguards in place to protect that data, and must respect the rights and privacy of their data subjects.

However, there are some crucial scenarios where it is necessary to distinguish between the two as the rules and regulations can vary according to your role.

In this chapter, we will discuss how the GDPR regulates these two categories of data handlers so you understand your responsibilities as a data controller and/or processor.

In order to really drive home the difference between data controllers and data processors, and to help you determine which one you are, let's explore a few examples.

The Dynamic Between a Data Controller and Data Processor

Some businesses take on the role of both data controller and processor by handling all of their data processing needs internally.

For example, consider a website that prompts you to create an account by providing your email address in order to send you updates or a newsletter. If the website handles its own email list and does not utilize a third-party service to handle the list or send out updates and its newsletter, then the website would be both the data controller and the data processor.

This is because the website decides what is to be done with the email address data and processes it to send out updates and its newsletter.

The Data Controller

If, on the other hand, the website in the above example used a third-party service (like MailChimp) to handle the distribution of its newsletter to the email list, the website would be the data controller and the third-party service would be the data processor. The data controller decides what is to be done with the data it provides to the processor.

In this example, the website would inform the distributor of what it wants done with the email list (such as sending out a monthly newsletter) and the distributor would carry out that task. You can see how the website is "controlling" the email list while the distributor is simply "processing" the information.

The Data Processor

The distributor in the above examples would be the data processor as it does not decide what to do with the email addresses but simply carries out the tasks requested by the data controller (the website).

Under the GDPR, data processors are ONLY to process data in response to orders and directions from the data controller. A data processor may not process that data for any additional purposes beyond what was requested by the data controller.

Being Both a Data Processor and Data Controller

Data processors can also be data controllers and almost always will be.

Consider a data processing company that handles email newsletter processing for other companies. While the company is a data processor in the relationship between itself and its clients, it is a data controller in other relationships and with other data.

The data processing company will be data controller when it comes to things like:

• Contact and billing information it collects from its clients
• Its own employee documentation like information found on employee applications and in payroll databases

While data processing requirements will apply to the processor in its relationship with its clients, it will also need to take steps to comply with data controller requirements in regard to other data it chooses to collect.

Example #1: Social Media Website That is Both a Data Controller and Data Processor

Consider a social media platform where users are able to create an account by providing information about themselves. This information would likely include things like name, age, city of residence, workplace, etc. which would constitute personal information under the protection of the GDPR.

As such, the social media website collecting this information would be designated as the data controller regarding that data.

Imagine that a feature of this social media website is sending email updates regarding information about the website as well as notifications regarding user interactions through the social media platform. The website automatically forwards these messages and notifications to the email associated with that account.

By processing the information regarding the account and the associated email address, the website would also qualify as a data processor.

In this example, the social media website would be considered both the data controller and data processor because it collects personal information and dictates what tasks it will be used for, in addition to carrying out those tasks itself. It both controls and processes the data.

Example #2: Ecommerce Website that is a Data Controller but not a Data Processor

Consider an ecommerce website started by an individual or small team seeking to sell a product. That product could be anything from t-shirts to software. In order to sell the product online, a small website is created in order to showcase and advertise the product. Potential buyers who visit the page can learn more about the product, see images, videos and reviews, or place an order.

The website itself, however, is not capable of processing payments. Instead, prospective customers pay via a third-party payment processor. In this scenario, the website is the data controller but not the data processor.

The website is the data controller because it dictates what is to be done with the personal data of its customer (payment is requested). The third-party, however, is the one actually processing the payment on behalf of the website and would be the data processor in this relationship.

Example #3: Email Marketing Service that is a Data Processor but not a Data Controller

Consider a company that assists in the creation and delivery of email marketing content and newsletters.

For example, a store hires this company to create and distribute an email advertising a new product to a list of interested customers. The email marketing service receives the email addresses for the recipients from the store along with information and assets about the product to be advertised. The marketing service then crafts an email and sends it to those email addresses as dictated by the store.

The email marketing service in this relationship would be the data processor while the store who hired the marketing service is the data controller. Here, the store collects the email addresses of the recipients, then provides that information to the email marketing service in order for them to complete a task as directed.

Since the email marketing service receives the email addresses for the sole purpose of distributing the advertisement and will not process the data for any other reasons, they are simply acting on behalf of the data controller as the data processor.

Remember, the email marketing service also acts as a data controller in other capacities, such as when handling the data of its own clients, but in this specific scenario they would be acting as the data processor when sending these emails at the direction of another company.

Here are some telltale signs that an entity is a data controller:

• It dictates what data is collected
• It dictates why and how data is to be processed
• It takes possession of the data first

Data processors are given data that is:

• To be processed by them but provided by another entity
• Provided only for use in a specific task
• Only to be processed at the direction of the data controller

Data Controller Responsibilities

Data controllers are responsible for everything from notifying data subjects of their practices, collecting data, keeping that data secure, and even determining how qualified the data processors they select are.

The data controller is responsible for the personal data it manages at virtually every point in the life cycle of that data, meaning the majority of responsibilities revolve around the controller.

Here is a list of responsibilities for data controllers as described by the GDPR:

• Must be able to prove compliance with the GDPR
• Is responsible for ensuring lawful data processing
• Should only handle and share necessary personal data
• Should only share personal data with reputable entities
• Must have appropriate security measures in place to protect the personal data of its users, and these measure should predate the collection of that data
• Have an appointed EU representative if located outside of the EU and involved in sufficient data processing
• Must only appoint processors who can prove compliance with the GDPR and agree to an adequate data processing agreement
• Must report any security breaches as soon as possible
• Must keep adequate records for proof of compliance with the GDPR if it has over 250 employees or processes personal data that is sensitive or on a large scale
• May be required to appoint a Data Protection Officer depending on the type and quantity of personal data that it processes or monitors

In many ways, the GDPR's primary focus is on data controllers.

The regulation seeks to ensure that data controllers responsibly handle personal data in order to protect the rights and privacy of the users. By enforcing the rules above, data controllers must be responsible and transparent in their usage of personal data to reduce risks and potential mishandling.

Data Processor Responsibilities

While data processors incur fewer responsibilities in their role, these responsibilities are no less important. Failure to follow the correct procedures can result in serious risks to data subjects and hefty fines for data processors as well as their data controllers in some cases.

Here is a list of responsibilities for data processors as described by the GDPR:

• Must keep adequate records for proof of compliance with the GDPR if it has over 250 employees or handles personal data that is sensitive or on a large scale
• May only process data in the manner dictated by the data controller
• Must have adequate security measures in place that predate the receiving of personal data for processing
• Must obtain consent from the data controller to employ sub-processors
• Must agree to an adequate data processing agreement
• May need to appoint an EU representative and/or DPO
• Shall return or delete the personal data at the end of the contract
• Must report security breaches as soon as possible

Again, while data controllers carry more responsibilities as the entities that decide what to do with the personal data that they manage, non-compliance on the behalf of a data processor can create just as dire of a situation that could put the rights and privacy of data subjects at risk.

The GDPR assigns several obligations to both data controllers and data processors in order to ensure that all parties involved in handling personal information do so safely and responsibly.

Recordkeeping Obligations

In order to be able to prove compliance with the GDPR, and for the safety of data subjects, both data controllers and data processors have certain record keeping requirements as mentioned above. The specifics of these requirements are different for data controllers and data processors, though they also share some aspects.

The recordkeeping obligations for data controllers under the GDPR can be boiled down to the following:

• Have on record the name and contact information for any controllers, joint controllers, representatives, or Data Protection Officers
• Have in your records the reasons for processing the personal data that you possess
• Describe in your records the categories of data subjects and personal data that you handle
• Include in your records the categories of recipients with whom you share or disclose the personal data that you possess, especially international entities
• Keep records of the international recipients of personal data and any applicable documentation about the relevant security measures in place for those transfers
• Have in your records the procedure for deleting personal data that is no longer needed and the estimated life cycle of different types of data
• Describe in your records the security measures that you have in place to protect the personal data that you possess

The recordkeeping obligations for data processors under the GDPR are as follows:

• Keep on record the name and contact information for any processors, joint processors, sub-processors, representatives or Data Protection Officers involved, as well as the data controller on whose behalf you are acting
• Have on record the categories of data processing that you handle on behalf of the data controller
• Keep records of the international recipients of personal data and any applicable documentation about the relevant security measures in place for those transfers
• Describe in your records the security measures that you have in place to protect the personal data that you possess

While these obligations of both data controllers and data processors are similar in many aspects, the role of data processor is only to act on behalf of the data controller. Therefore, more of the responsibility and decision-making falls on the controller.

Article 30 of the GDPR states that these records should be kept in written form (which can be digital) and the data controllers, data processors, or their representatives must be able to make these records available to the proper authority upon request.

An Exception

Article 30 also includes an exception for organizations of less than 250 employees. It states that organizations of less than 250 employees are not obligated to keep records as described above unless one of the following is true:

• The processing is likely to put user rights or freedoms at risk
• Processing takes place more than occasionally
• Special categories of data with additional protections are processed

This exception applies to both data controllers and data processors and is intended to limit the burden on small companies and small-scale operations that may not have the resources to maintain such detailed records.

Processing that takes place "more than occasionally" is fairly clear, but what does "occasionally" mean in this context?

It's easy to see that something that happens daily or very often would be "more than occasionally," such as a forum like Reddit where users tend to visit daily or even many times per day to interact with the site and submit comments and posts.

"Occasional" processing typically means if something is processed in a one-off way, or is done rarely.

An example of this may be a tax website that collects user information but only uses it once a year to submit tax returns for the individual, and only uses email addresses to confirm the returns have been submitted. In a case like this, the tax company may be exempt from needing to keep records.

However, if the tax company sends marketing emails consistently throughout the year, this changes things and the processing will be considered "more than occasionally" done. In this case, records will need to be kept.

Ask yourself how often you use the data you have on hand to determine if it's just occasional (rarely or only once), or more than occasional (regularly or somewhat consistently).