This guide is meant to help you understand your role as a data controller vs. a data processor. What kind of responsibilities a data controller has and how you supervise your data processors. Almost every company uses personal data in some way or another. Whether you collect personal information to complete an order or for marketing - you are working with personal data. Since the introduction of GDPR in 2018, new obligations have come forth for data controllers and data processors.
In short, this guide will help you determine whether you’re a data controller or processor, what the responsibilities are for each role, and why it’s important to understand your role. In this guide we will also help direct you on how to supervise your data processors to ensure that you’re following the GDPR rules and the rules that you as a data controller have set in place. Data controllers and data processors are the two main types of parties, that are involved in processing data under GDPR rules.
Table of contents
Data controller vs. data processor
GDPR has established different roles that have different responsibilities on how personal data is being used and for those that process the data; also known as data controllers and data processors.
What is a data controller?
Data controllers are defined as:
A legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.
Or simply put, data controllers are the ones making the decisions. They decide which kind of data is to be collected and what it will be used for.
A data controller could be:
Including a public authority, an incorporated association or incorporated partnership
Such as a partner in an unincorporated partnership, a self-employed professional or a sole trader
What is a data processor?
Data processors are defined as:
A legal or a natural person, agency, public authority, or any other body who processes personal data on behalf of a data controller.
Simply put, data processors process data on behalf of the data controller but doesn’t have any decision-making power over how the data is being used.
So, the data controller is the one deciding what kind of data to collect and what it will be used for, while the data processor, processes that data on behalf of the data controller. Let’s look at an example.
Example of a data controller and data processor
A brewery has lots of employees. To pay the wages, it signs a contract with a payroll company. The brewery gives information to the payroll company on when wages should be paid and when an employee leaves or has a pay raise. The brewery also provides all relevant details for the salary slip and payment. The payroll company provides the IT system and stores the employees’ data. The brewery is the data controller, while the payroll company is the data processor.
Data controller responsibilities
As a data controller you must comply with GDPR requirements. It is your responsibility to make sure that not only is your organisation GDPR compliant but also your data processor is GDPR compliant.
Which is why you must carefully consider your options when thinking about the kind of data processor you want to use, whether it be a software, a freelancer or a partner that you work with for the purpose data processing.
According to GDPR, organisations must keep accurate and relevant records of the data that the organisation is processing. This also applies to almost all data controllers and data processors, except when the data being processed is casual.
If your organisation is acting as the data controller you need to keep full records of the following:
Contact details of the data controller and the contact details of your data protection officer (DPO) if applicable
The categories of personal data that is being processed and collected
Purposes of the personal data that is being processed, including the legal bases for processing it
The details of the organisations that data is being shared with, including third parties outside the EU
Timescales and processes involved with data retention and deletion
Relevant agreements that cover data transfers to third countries outside the European Economic Area (EEA), e.g., data processing agreements
Information about how you are securing data and safeguarding it, e.g., against cybersecurity threats
Now that the record keeping requirements for being a data controller are all set, let’s talk a little bit about the record keeping of data processors.
Data processor responsibilities
Data processors are also required to keep record of information that cover the categories of processing:
The GDPR requirements for data processors are less intensive compared to the data controllers. Data processors do not have the same level of responsibility when it comes to being GDPR compliant. However, a data processor should take appropriate technical and organisational measures to ensure that any processed data is handled in accordance with the rules of the GDPR.
Also, it’s important that a data processors’ duties towards the data controller are specified in a contract. The contract must also cover what happens to the personal data once the contract is terminated.
Sign a data processing agreement with your data processor
If your company has an external service provider that processes personal data, then you as the data controller are responsible for proper data processing and data protection. Therefore, it’s important that you sign a data processing agreement with your data processor.
A data processing agreement is intended to ensure that the data processor only processes the data for the purposes that the data controller has collected the data for. The data processor is prohibited to use the data for any other purposes.
For a data processing agreement to be GDPR-compliant, the following aspects are required:
Subject and duration of processing
Nature and purpose of the processing
Type of personal data
Categories of persons concerned
Duties and rights of the controllers
Adoption of appropriate technical and organisational measures (TOM) for the protection of personal data
Scope of the authority to issue directives
Obligations and rights of the processor
Reporting obligation of the contractor
Duty to cooperate/ support by the contractor
Legitimate use of subcontractors
Preservation of the rights of data subjects
Duration of the order
Data controller vs. data processor GDPR fines
Both data controller and data processors have responsibilities. The data controller has clear responsibilities to partner with data processors that comply with GDPR rules. (If you know that your data processor doesn’t comply with GDPR rules, you should consider another processor). The data processor can also be held liable, along with the data controller, in case of GDPR infringements, which can lead to GDPR fines. The fines can go up to 20 million euros or 4 percent of your annual global turnover. Two great reasons to be GDPR compliant.
Organisations that have received a fine for not complying with the GDPR include WhatsApp and Google. WhatsApp were fined 225 million euros for “unnecessarily and unclear” handling of personal data.
Let’s now talk about how you supervise your data processors to make sure they are compliant.
Data controller guide: How to supervise your data processor
According to article 24 of the EU GDPR, the data controller should be able to demonstrate that data processing is performed in regulation with the GDPR, and these measures are to be reviewed and updated where necessary.
The GDPR doesn’t state how often or how you are expected to supervise your data processers, only that you’re supposed to review your data processing is being done in compliance with the GDPR.
So, there isn't an official way to supervise your data processors and it might also be tough to figure out what the right level of supervision should be.
Here at CyberPilot we’ve made some recommendations on the things you should be aware of when you’re supervising your data processors. Our recommendations are partly based on The Danish Data Protection Agency’s guide on how to supervise your data processors.
As a rule of thumb, the larger the volume of people whose data is being processed, the higher the level of supervision should be on your data processor.
Get an overview of your data processors
Before you start, you should get an overview of which and how many companies process data on your behalf. You might have more data processors than you think. Your data processors may include a payroll company that manages your employees’ payroll information, a cloud provider that stores personal data or a customer management system (CRM) that handles personal data of your customers’ payment information, private addresses, e-mails and other personal data.
Also consider the scope of the data processor. How much do you need them to do? The greater amount of work and data that the data processor processes, the more monitoring and control you must put in place.
How to supervise your data processor
As a data controller you are obliged to supervise all data processors. When supervising your data processors, here are some key things to keep in mind:
Make sure that the data processor’s employees who handle personal data have signed a confidentiality agreement
Make sure that the data processor treats personal data they process on your behalf with proper safety measures, such as:
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
The pseudonymization and encryption of personal data
The sub-processor is under the same obligations as the data processor, and that the data processor conducts audits with the possible sub-processor
Make sure that the data processor assists you with requests regarding the rights of data subjects
Make sure that the data processor assists you in regard to reporting personal data breaches
Ensure that the data processor deletes and returns all personal data to you (the data controller), when their service is over
Conduct audits of your data processor
You should, when possible, review your data processor’s performance against the agreement you’ve made in your contract with them. Ask your data processor for a record of the data processing activities they’ve carried out on your behalf. If there are any issues or problems, you should seek to fix and remediate them. If the data processing is found to be of an unsatisfactory level, you should consider working with a different data processor, who meets your requirements for data handling.
A good idea would be to have a fixed time each year to review the data processors you are working with and determine which of them require supervision.
Data processor using a sub-processor
According to GDPR, a data processor can sub-contract some of their data processing to a third party. This is known as a sub-processor.
If you have given your data processor authorisation to use a sub-processor, you will need to make sure that the sub-processor follows the rules that are in place. You should always be aware of who is working with your data and how they handle it.
A contract between a data processor and a sub-processor must contain the same kind of data obligations that you (the data controller) have drawn up with your data processor.
Data processor security measures
Data processors must comply with the same security measures as data controllers. You should therefore be aware of the security measures your data processors have in place to ensure the security of personal data as well as their ability to guarantee confidentiality.
If an error occurs, both you (the data controller) and the data processor can be subject to malicious attacks. Your processor could have a data breach, which would affect the data that they process on your behalf, as well as people whose data they are processing. Make sure that you have appropriate processes in place, ensuring you both comply with GDPR obligations. It is also worth noting that the GDPR has requirements for how and when to report a data breach, as well as what kind of breaches must be reported. And of course, you could be fined for not following these reporting requirements. It's also recommended that organisations keep a log of data breaches, even the ones that they don't have to report, so that they can prove GDPR compliance.
On a side note, you should be open when communicating about the processing of your data subjects’ data. Consider how the use of third parties is communicated in the information you provide to your data subjects. Make sure that your data processor communicates the processing of personal data properly.
Establish strong communication channels with your data processor
Always address the kind of activities you want the data processor to deliver on your behalf. It’s likely that your company deals with many data processors such as HR services, payroll companies and marketing agencies. Remember that the data processors work for you and it’s therefore important to communicate.
You should be open and transparent in your relationship with your data processors, so that your relationship can grow strong and prosper. A strong relationship between a data controller and processor is key to achieving GDPR compliance.