Despite that GDPR is coming up on its fifth anniversary, people are still asking questions like “What is a ‘data controller’ or a ‘data processor’ under GDPR?” And “How is a GDPR data processor different from a GDPR data controller?” And even “Can a company be both a data processor and a data controller at the same time under the EU General Data Protection Regulation?” And the ever important question: “Do we have to comply with GDPR if we are in the U.S.?” Here are the answers.
As you probably know, GDPR went into effect on May 25, 2018, and notwithstanding a whole lot of misinformation out there saying otherwise, you do need to comply with GDPR if you are in the United States (or, really, anywhere else) if you want to play it safe.
So you probably started to read the full text of GDPR and found your eyes glazing over, and thus you may be confused as to whether you are a data controller, or a data processor, or maybe even both, and do you need to comply with GDPR is you aren’t in the EU or the Uk? Does GDPR even apply in the UK after Brexit? (It does because the UK adopted their own UK GDPR.)
Part of the reason that reading the full text of GDPR can get one so confused is because the full text includes all of the prefatory language, which talks a great deal about the obligations of data controllers and data processors before you ever get to the actual definitions, which are contained within the actual law, which you don’t get to until after more than 30 pages of the introductory language!
Actual Definition and Meaning of Data Controller under GDPR
Here is what makes an organization (or even an individual) a data controller for the purposes of GDPR – this is GDPR’s actual definition of ‘data controller’:
“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
Actual Definition and Meaning of Data Processor under GDPR
And here is what makes an organization or an individual a data processor for the purposes of GDPR – this is GDPR’s actual definition of ‘data processor’:
“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Put in plain English, and for the purposes of making it easy to wrap your head around, essentially a data controller is anyone who, well, controls the personal data of any person. A data controller decides and is in control of what is going to be done with that data, both in terms of securing and storing it, and of using it.
A data processor is any entity who applies any processes to the personal data of others which they have received from someone else for the sole purpose of processing it. They do not themselves determine what is to be done with the data – they simply do the controller’s bidding.
Here is an example:
Acme Widgets uses Great Email Newsletters (“GEN”) to send email newsletter to Acme’s customers. To do so, they upload the list of their customers’ email addresses to GEN.
Acme is the data controller – they have taken their customer’s personal data, which they have acquired and stored, and they have decided to use it to send out an email newsletter (note that under GDPR Acme can only do this if they have first received permission from their customers to use their customers’ email addresses for this purpose).
GEN is the data processor. They were not the ones to initially acquire the email addresses (Acme was). They are not the ones to determine what is to be done with the email addresses (Acme is). Acme is the data controller.
Can a single entity be both a data controller and a data processor? Absolutely. That can take the form of either a) some of their activities make them data controllers and other of their activities make them data processors, OR b) a third-party who both acquires the data on someone else’s behalf (think outsourced sign-up forms where the data is stored on the outsourced servers) and processes that data for the someone else.
Hopefully this has helped to clarify for you these basic GDPR matters, but if you have any questions, feel free to ask us!
No responses yet