Understanding the Difference Between Data Controller and Data Processor

Defining Roles in Data Processing

Both data controllers and data processors have responsibilities under data protection legislation (such as the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and GDPR). However, distinguishing between the concepts of controller and processor is important in determining the scope of application of the UK GDPR principles and obligations of a party. This will ensure compliance and limit the risk of enforcement action by supervisory authorities.

In this article, we will look at the difference between the concepts of data controller and data processor and examine how to determine a party’s respective role looking at their actual involvement in the processing. Then, we will explore the allocation of responsibilities and obligations between these actors under the UK GDPR.

Data Controller: Definition and Responsibilities

A data controller is a party, either an organisation or an individual, that determines the key elements of the processing of data including the purpose and means of processing; why and how the data will be processed.

A data controller can be a natural or legal person, such as a business, public authority or other body. However, in practice, most often than not, a data controller will be the organisation and not an employee within the organisation. Where an employee within an organisation is assigned the responsibility of the processing activity which is within the realm of activities of an organisation, the data controller will not be the employee, but the organisation in which the employee works. The only exception will be where the employee processes data for their own process.

As the data controller decides the data processing, they are predominantly responsible for ensuring compliance with the data protection principles and to demonstrate compliance with data protection laws and ensuring the protection of personal data.

Amongst many other things, data controllers will be responsible for undertaking data protection impact assessments to quantify and mitigate the relevant risks of data processing as well as ensuring that there are adequate security measures in place to protection the data. Where data breaches occur, they will be the party responsible for assessing the severity of the breach in question and taking steps to ensure that a similar breach is unlikely to occur. If the breach crosses the relevant thresholds, their data protection officer will be responsible for notifying data breaches to the data subjects and the relevant supervisory authority.

Joint Controllers

More than one party can act as a data controller when processing data. They can either act jointly or independently when processing the same data. When two or more data controllers jointly determine the purpose and means of processing, they will be considered a joint controller to the data processing in question. The joint controllers decide together to process the personal data for a joint purpose. This does not mean that both parties must agree on and determine the aspects of all processing, but their decisions must complement each other in such a way that without their input, processing would not be possible. Hence, a party can be a data controller even where it does not make all the decisions regarding the purposes and means of the processing. This requires a case-by-case assessment.

Where joint controllers exist, each will have their own respective responsibilities to demonstrate compliance with data protection legislation.

Data Processor: Definition and Role

On the other hand, a data processor is a party, that processes data on behalf of, and under instructions of a data controller. Similarly to a data controller, it can either be an organisation or an individual. Given that it is acting on instructions of the data controller, the data processor will serve the controller’s interests rather than their own. Whilst the data processor can still have discretion on the practical aspects of the processing activity, such as the suitable technical and organisational means to process data, they do not determine the essential purpose and means of processing. This means that the data controller remains primarily responsible for ensuring the protection of the personal data.

Most importantly, to qualify as a data processor, the party must be a distinct entity from the data controller. This means that the data controller delegates all or part of the processing to another organisation. For example, an HR department of an organisation that is processing personal data on behalf of same organisation will not be a data processor, as another department within the same entity does not quality as a data processor.

Sub-Processors

A sub-processor is similar to the relationship between a data controller and a data processor. The distinction is that a sub-processor is where a data processor (the organisation who processes personal data based on what the data controller determines) instructs another organisation to process data on its behalf, hence a sub-processor. Sub-processors will have the same responsibilities as a data processor, except that its responsibilities are to the data processor who instructed them rather than the data controller itself, as the direct relationship is with the data processor and not the data controller.

Key Differences Between Data Controllers and Data Processors

Distinct Roles and Responsibilities in Data Processing

Broadly, the main distinctions are that:

• • Data controllers determine the purposes and means of processing personal data, while data processors process personal data on behalf of the controller.

• • Data controllers have more control and decision making authority over data processing activities.

• • Data processors act under the authority and instruction of data controllers.

• • Data processors do not have the same decision-making power as data controllers.

The concepts of data controller and processor should be assigned based on the factual scenario in accordance with the data protection law. By examining the factual circumstances of the envisaged or actual processing, you can decide whether a party will act as a data controller or a data processor. This means that respective roles of the parties should not be allocated by contract, as they should not be a matter of negotiation. That said, explicit contractual arrangements can help infer who is determining the purposes and means of the processing activity.

In the absence of an explicit legal provision detailing parties’ roles, the roles must be established based on facts. It does not matter who has possession of personal data; the assessment must be based on their role and level of control in the processing activity. In determining the respective roles of the parties based on the factual circumstances, you should ask the following questions:

• • Why is the processing taking place?

• • Who decided that the processing should take place?

• • Who has decisive influence on the purpose and the essential means of the processing?

• • Who is receiving instructions regarding the processing activity?

Importantly, a party can be both a data controller and data processor at the same time for different processing activities in the processing chain.

How are these roles affected by compliance with privacy laws?

The UK GDPR applies to both data controllers and processors; however, they have different legal obligations and responsibilities under privacy laws. The accountability principle sets out an explicit obligation for the data controller to implement appropriate and effective measures to ensure compliance and to be able to demonstrate compliance where necessary. Data controllers are ultimately responsible for ensuring the lawful and responsible processing of personal data.

Whilst the accountability principle does not directly address the data processors, the data processors are responsible for complying with the principle by acting under the instructions of the data controller and supporting data controllers where necessary, to demonstrate accountability.

For example, the data controllers have an obligation under the UK GDPR to use processors that provide ‘sufficient guarantees’ to protect individual rights. The data processor must provide details of sub-processors and all other relevant information necessary to demonstrate compliance with the UK GDPR obligations. However, it is ultimately the data controller that must conduct appropriate due diligence and ensure contracts with processors support compliance.

While there are discrepancies in their respective responsibilities, both the ICO and the data subjects may take legal action against both regarding a breach of their obligations.

Data Controller-Processor Contracts

It is essential to have an agreement in place between a data controller and a data processor to outline what responsibilities each party will have in relation to the personal data. The data processor is essentially a service provider and will need to act under the controller’s instructions. Therefore, the controller’s instructions needs to be clearly laid out for the data processor to follow.

These agreements are referred to as a ‘data processing agreement’ and will occur between a data controller and a data processor, as well as a data processor and a data sub-processor.

Essential provisions and obligations for data processors under a data processing agreement

Article 28(3) UK GDPR sets out the essential provisions and obligations which need to be covered in a data processing agreement. It states that there must be a contract or other legal act that is binding on the processor. Given it is a contract, it is recommended that a legal person within both organisation is involved in the contract negotiation and to check the terms stipulated by the data controller and the key responsibilities within.

The data privacy obligations are that the processor:

• • Processes data only on the documented instructions of the data controller;

• • ensures that only authorised individuals process the data and that they are bound by confidentiality;

• • that they will uphold their security obligations and have appropriate security measures;

• • not engage a sub-processor without authorisation of the data controller;

• • assist the controller with its own UK-GDPR compliance obligations and responding to data subject rights’ requests;

• • return or delete the personal data at the end of the provision of services; and

• • make available any and all information necessary to demonstrate compliance with the UK GDPR and allow for audits and inspections by the data controller.

Often times, there are also terms that dictate what should occur when a data breach occurs and any specific requirements on how to adhere to the data controller’s instructions. So whilst a data processor may be seen to have limited compliance responsibilities in comparison the data controller, in practice, they are often contractually required to handle the processing of personal data in a similar way.

Conclusion

We hope this article has provided an initial outline for everything you need to know about Data Controllers and Data Processors, who they are and what their data protection obligations are. If you have any questions or want expert support in helping you complete a data sharing agreement, check out our services or send us an enquiry at info@informationgovernanceservices.com where an data subject expert can get in touch to support you.