Controllers, Joint Controllers and Processors
Author: Ioannis Gousgounis, owner and founder at SUCCESSKeys.GR
But what exactly are ‘controllers’ and ‘processors’ in data protection?
According to GDPR, Article 4:
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Note: Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers (GDPR, Article 26).
As a controller you are responsible and you must be able to provide evidence, as and if needed, for your compliance with the following 6 principles set out by the GDPR:
1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimization
5. Storage limitation
6. Integrity and confidentiality (security)
This responsibility is known and is referred to as ‘principle of accountability’ in GDPR (Article 5).
Are you a controller, a joint controller or a processor?
How can you determine whether you are a controller or processor under GDPR?
As a controller you must be able to answer, among others, the following questions:
· Why (purpose) and how (means) is personal data to be processed?
· Which data can be processed?
· Whose personal data are being processed?
· How long can the data be processed/stored?
· Who else can access the personal data?
Joint controllers are more than one controller processing personal data for the same purpose and using the same set of data (e.g., same database) and are designing the processing in collaboration. Joint controllers jointly determine the purpose and means of the processing.
Joint controllers shall clearly and with transparency determine their respective responsibilities for compliance with the obligations under GDPR by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject (see GDPR, Article 26).
As a processor you are likely to agree, among others, with the following statements:
· We follow instructions given by someone else regarding the processing of personal data
· We are told to collect personal data from individuals and also which data to collect
· We do not decide the lawful basis for the processing of personal data
· We do not decide how long to retain the data
· We do not decide whether to disclose-transfer the data or to whom
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller (see GDPR, Article 28).
Your compliance with the General Data Protection Regulation starts with the determination of your role and relevant responsibilities when processing personal data.
After you determine whether you are a controller, a joint controller or a processor you may fulfill your relevant obligations as described in the Regulation.
It can happen that organizations are a controller for a data processing purpose (or purposes) and a processor for other (not the same) purpose(s).