As is the case with any piece of legal documentation, the GDPR is full of incredibly complex terminology and details. It does not matter whether you are an individual or part of an organisation, it is important that, if you handle or process personal data, you are familiar with your obligations.
One of the most commonly asked questions we receive relates to the terms “data controller” and “data processor”. We have found that many of our clients do not understand which category they fall into. So, to help us understand, here are the definitions (as laid out in Article 4 of the GDPR):
Those definitions are helpful, but what do they actually mean in the real world? Here are some examples:
A data controller could be an individual, a company, a government department or a voluntary organisation. It refers to ANYONE who HOLDS personal information about employees and the general public. Examples of this in practice are endless but could include any company which holds personal information about its employees, any type of medical practice that keeps a record of patient data or a high-street store with a loyalty scheme or that records customers’ buying habits.
Data processor refers to anyone who PROCESSES personal data on behalf of the data controller. Again, there are too many examples for us to list in full, but a data processor could include a cloud provider that stores data on behalf of a controller - it is a processor because it has no scope to use the data for any of its own purposes, does not collect the data, and is subject to the instructions in their contract with the controller, including for how long to retain the data. Basically, anyone who receives personal data from a data controller in order to carry out a task.
Of course, it is possible for an individual or organisation to be both a data controller and a data processor.In the case of the same cloud provider, whereas they are a processor when it comes to their client, they are a controller when it comes to processing the personal data associated with their employees.
Accountants are controllers that process personal information on behalf of their clients. In the specific case of providing payroll services, where the personal data is collected by another controller, their client, and shared with the accountant who determine the means of the processing, there is a reasonable argument that the accountant is a joint controller with the client, who has simply determined the purpose of the processing (payroll), collected and supplied the data, but not determined the means.
Hopefully this blog has clarified the difference between a data controller and a data processor. However, if you remain unsure or would like to discuss the impact of GDPR on your organisation, please get in touch by calling 02032878243 or emailing firstname.lastname@example.org.
The Priviness blog is a forum for the discussion and dissemination of ideas relating to privacy. The posts are written by a number of different authors and do not necessarily represent the views of Priviness.