Data Controller vs Data Processor: who am I?

November 2021

With the advent of the General Data Protection Regulation (GDPR), already operational, and the revised Swiss Federal Act on Data Protection (FADP) that comes into effect in 2022) two different roles with varying responsibilities have emerged when it comes to data protection. The data controller, and the data processor. But what are the key differences, and more importantly, which one are you.

Identifying the key differences is crucial for any business that collects, stores, and processes any type of personal data from clients, customers and users. In this article we will examine the core differences between data controllers and data processors which will not only allow you to determine which one you are, but more importantly what your obligations are.

‍What is a data controller?

‍A data controller is a person, organisation or authority group that “determines the purposes for which and the means by which personal data is processed” (European Commission, 2021). They’re the ‘decision makers’. This essentially means that the data controller is the one who decides what personal data is going to be processed, the reason for processing it (purposes), and how they will go about doing it (means).

If your company comes together with other organisations to jointly determine the purposes and means by which personal data is processed, they you are joint controllers. You will typically design the process for collecting data with them, use the same database to store data and have common information management rules with another controller.

What does this mean in real life? Here are some examples of companies and groups acting as the data controller:

LinkedIn creates targeted advertisements from the data collected from user profiles.
A charity collects email addresses from their supporters to start a mailing list.
Apple uses the data they collect from customers to deliver their products.

‍What are the responsibilities of a data controller?

‍But what does it mean if you are a data controller? Data controllers have the highest level of compliance responsibility meaning you are ultimately responsible for the compliance of any and all of your data processors. Here are a list of some of the many responsibilities you will have if you are a data controller:

You are responsible for informing data subjects (the people you are collecting data from) the purpose and means for collecting their data via a privacy policy (you can read ours here for example).
Conforming and registering (where necessary) with your country’s authority for regulating data protection (for example, the ICO in the United Kingdom).
Creating and monitoring a data processing agreement with each of your data processors.
Responding to any subject access requests.

It is important to note that this is not an exhaustive list of responsibilities. The full list of your responsibilities will depend on your country of operation, and if you are not sure, or need further guidance we would be happy to help.

‍What is a data processor?

‍A data processor is a person or business that “processes data only on behalf of the controller” (European Commission, 2021). This is typically a third party, whereby the duties of processing are specified to the processor in the means of a legally binding contract. Importantly, if your company has employees they are not processors. For as long as they act within the scope of their employee ‘duties’, they are acting as ‘agents of a controller’ and not as a separate party.

Whilst the data processor may receive a benefit for processing data for a data controller (such as a fee) they do not have the primary interest in the end result. They are processing data because the controller has asked them to do it.

What does this mean in real life? Here are some examples of companies and groups acting as a data processor:

Google Analytics receives user data from a data controller’s website. It analyses the website data and presents it in the form of insights on how the website is being used.
A printing company uses names and addresses of individuals provided by a data controller to print and deliver personalised invitations.
Xero receives employee personal and banking data from an employer to process payroll for a data controller.

‍What are the responsibilities of a data processor?

Unlike data controllers who have a larger number of responsibilities, the main responsibility of data processors is to follow, and abide by, the data processing agreement set out with the controller that they are working on behalf of. This essentially means that they cannot change the purpose for processing or means by which the data is used or collected. Data processors can be held liable for any damage that could be caused by not abiding by the data processing agreement, so it is important that if you are a data processor you follow the instructions of the data controller.

‍Am I a data controller, or a data processor?

‍Whilst the distinction is often clear between a data controller and a data processor, sometimes the divide is blurry. Likewise, a company is not automatically a data controller – it is common for a company to be both a data controller and a data processor. So how do you tell the difference?

Look through this first list of responsibilities:

We decide to collect or process the personal data.
We decide what the purpose or outcome of the processing was to be.
We decide what personal data should be collected.
We decide which individuals to collect personal data about.

If you answered yes to any (or all) of them, the likelihood is you are a data controller. Now look through this second list:

We are following the instructions of someone else regarding the processing of personal data.
We were given the personal data by a client, or told what data to collect.
We do not decide to collect personal data from individuals.
We do not decide what personal data should be collected from individuals.

If you answered yes to any (or again all) of the above, then you are most likely a data processor.

Whilst the above lists may answer your query between the two roles fairly quickly, it is often hard to distinguish the difference in real life and determine who is a data controller and who is a data processor.