The figure of the Data Controller and Data Processor in the GDPR
The General Data Protection Regulation (GDPR) has brought about the creation of two new concepts: Data Controller and Data Processor.
These figures already had their fit in the previous data protection regulations when talking about File Manager and Data Processor. However, the GDPR gives them a new name.
What is the difference between the Data Controller and the Data Processor?
When we talk about Data Controller we refer to that natural or legal person, public or private, who decides aspects of the processing of personal data such as the purpose and use of the data or the retention periods; being also the person to whom the data subject who intends to exercise any of his rights in the field of data protection must go.
Therefore, the Data Controller is responsible for the data held by it, such as personal data of employees, prospects/leads, customers or suppliers, among others. It is also an obligation to duly inform such data subjects of the processing operations and their purposes, since one of the principles of the GDPR is that the processing of personal data is fair and transparent, which implies informing at the time of the collection of the data, if possible, of such extremes. As an example, if we sign up for a selection process directly on a company’s website, that company, if you decide to keep our resume to participate in your selection process, will be responsible for our curriculum data.
On the other hand, when we talk about Data Processor we mean that service provider who, contracted by the Data Controller, must access personal data that is the responsibility of the Data Controller. In fact, the simple access or visualization of the data already implies a “treatment” as, for example, in the case of suppliers who provide maintenance or computer support services. Although they do not have to manipulate the personal data for the provision of the service they are considered data processor.
In this sense, the most clarifying example of Data Processor is that of the labor management company for the preparation of payroll, as well as for the processing of highs or losses in social security of data controller employees. The management must process the personal data of the employees for the provision of the service.
How, how is the relationship between the Data Controller and the Data Processor regulated? This relationship must be established through a contract or a similar legal act linking them. At a minimum, the following points must be established in the contract:
- The object
- The duration
- The nature and purpose of the treatment
- The type of personal data and categories of data subjects
- The obligations and rights of the parties
It is important to emphasize that the Data Processor may in no case use personal data for purposes other than those entrusted in the Data Processing Agreement.
The agreement should also establish the outsourcing regime. The GDPR requires prior written authorization from the Data Controller so that the Data Processor can rely on another Data Processor (Sub-Processor) to provide the service, when this entails the processing of personal data by that Sub-Processor. The authorization for subcontracting can be specific (identification of the specific entity to be provided by the service) or general (only authorizing subcontracting, but without specifying the entity). In the event that the authorisation is of a general nature, the Data Processor shall inform the Data Controller of the incorporation of a Sub-Processor or its replacement by other Sub-Processors, thus giving the Data Controller the opportunity to oppose such changes, and a time limit must be set for such opposition.
From GlobalSUITE Solutions we offer you a consulting service that aims to help you ensure compliance with legal data protection requirementsas well as system management centrally through our GlobalSUITE® solution.
- Managing personal data in schools
- Changes in data protection and the importance of risk analysis
- The figure of the Data Controller and Data Processor in the GDPR
- Protecting personal data in the coronavirus crisis
- What is it and how to develop a Record of Processing Activities, risk analysis and impact assessment?