This article will help you understand the difference between the two roles and what they mean for your startup.
Controller
A controller is an individual or company who decides why and how personal data is processed.
In a nutshell, controllers make decisions about personal data. So, in figuring out whether you or your startup is a controller, ask yourself if you decide:
- If personal data is needed in the first place and the legal basis?
- What personal data you will collect?
- How it will be collected?
- What the personal data will be used for?
- Who the personal data will be shared with or disclosed to?
- Which data subject rights will apply to the processing?
- How long will the personal data be kept for?
This is not an exhaustive list but, if you answered “yes” to one or more of those questions, it’s likely that you’re a controller.
What does it mean to be a controller?
As a controller, you need to comply with all of the provisions of the UK GDPR when processing personal data. For example, you need to provide a privacy notice (and a cookies notice if you use cookies or similar technologies on your websites or apps), have a record of processing activities which also identifies your legal bases for processing, and have various data protection policies in place on retention, information security, handling Data Subject Access Requests and other rights requests, and data breaches and incident responses.
It is an important role being the controller. If things go wrong (for example, if there is a personal data breach) the controller is the party that the data protection regulator deems responsible.
Processor
A processor is someone who processes personal data on behalf of a controller.
Common examples of the controller/processor relationship are:
- Client and Cloud services provider
- Client and marketing tool provider
- Client and HR payroll or benefits provider
- Client and data analytics provider
You might notice a common theme here. A processor must be a separate entity which usually provides a service to benefit the controller, who is the client of the processor in the above examples.
What does it mean to be a processor?
If you are acting as a processor, you only need to comply with certain principles of the GDPR including those which are set out in Article 28 of the GDPR. These principles include:
- having appropriate organisational and technical measures to keep data subjects’ data safe and secure,
- engaging any sub-processors on data protection terms which are the same as those you have with the controller, and
- having a Data Processing Agreement (DPA) which contains certain mandatory terms and spells out your contractual obligations including things like, the controller’s instructions on how they want the processor to handle their personal data while providing your services to the controller.
If a processor starts acting outside of the terms of a DPA and makes its own decisions about how it handles personal data, it runs the risk of becoming a controller, which means it will have to comply with the more onerous obligations under the GDPR.
Top tip - employees (and contractors who are treated by the controller similarly to employees) are generally not considered to be processors and are instead considered to be part of the company as the controlling entity.
Sub-processors
A processor might engage other processors, known as sub-processors, to provide its services. A processor will need to ensure that its sub-processors also comply with the DPA otherwise the processor will be on the hook to the controller for any breaches of the terms of the DPA.
Can I be both?
Yes. Businesses are complex structures and are likely to carry out a range of data processing activities. For example, a company might be a controller with respect to the processing of its staff’s data and also a processor in relation to the services it provides to its clients.
I’m still not sure which one I am!?
Don’t worry! The question of whether a company is a controller or processor can be quite a difficult and nuanced one. If you have any questions, get in touch with our team.
Back to all posts