When you as a private company, public authority, natural person or institution process personal data of other persons, it is important that you are aware of your role in the processing.
Processing of personal data includes all handling of personal data, such as collection, movement, storage and transmission.
The GDPR mentions two main controllers of personal data processing, and these are the data controller and the data processor. When you as a company or public body process personal data, you need to be absolutely sure whether you are the controller or the processor - or maybe both.
Before you process personal data
It is important that you are clear about your role before personal data is processed, because the requirements for a controller and a processor are different. The controller and processor each have their respective responsibilities. If the parties involved in processing personal data are not sure who is responsible for complying with the different data protection rules, there is a risk that neither party will assume responsibility, or that one party will assume responsibility that it does not really have. It is therefore very important - before you start processing personal data - to clarify your role and that of any other parties involved in the processing.
It is important to point out that for some organisations the question arises whether personal data relates to a natural or legal person. Only personal data relating to natural persons is regulated by the GDPR.
What is a data controller?
The controller is the party that determines the purposes for which personal data are processed, how they are processed and the means by which a company or authority processes personal data.
In short, a data controller decides why personal data should be processed and how. And it is the data controller who is responsible for ensuring that everything is done correctly and in accordance with GDPR rules. If the processing of personal data is not done correctly, for example if inaccurate data is processed, then it is the controller who is penalised for it.
What is a data processor?
The data processor is the party, as the name suggests, that actually processes the personal data on behalf of the controller.
In other words, the processor does not have a purpose for processing the personal data itself. They do what the controller says. A controller gives an instruction and then the processor follows it. But the processor can decide which IT system and applications to use for processing personal data.
Let's say your company wants to reach some customers. You create a list of the people you want to contact, with their names, phone numbers, email addresses and, of course, their workplace. You put this list into a CRM system so that your sales people can contact the people. You have determined the purpose of the processing of personal data, namely to contact potential customers. So your company is the data controller. The CRM system you use, it could be Hubspot, is the data processor as they store the data and nothing else.
Virtually all companies and authorities have a data processor, so they don't have to do the processing of personal data themselves.
As with so much else about the GDPR, there is no one-size-fits-all answer as to who is always the data controller and the data processor.
It is up to you in your company or workplace to assess who is who. It is possible that one party, for example the company, is both the controller and the processor, but again this is rare as most companies will want others to process their data.
Your company is most likely a data controller, as a company is a data controller as soon as it has employees. And if you collect and use personal data for your own purposes, then you are also a data controller. If your company is a supplier, then you are most likely a data processor for another company.
A public authority must have a DPO
For public authorities, they must always have a DPO or Data Protection Officer.
A DPO must inform the public authority about the GDPR and advise them on the protection of personal data. The DPO also monitors the authority's compliance with the GDPR rules.
Once you have identified who is the data controller and who is the data processor in your company, you will need to conclude a data processor agreement according to the GDPR.
What is a data processor agreement?
A data processor agreement is a binding agreement between a data controller and data processor, which is part of a so-called data processor design. The data processor agreement must be drawn up by the data controller, and it is also the controller's responsibility that the data processor agreement is complied with.
Supervision of data processors
Once data processing starts, the controller must ensure that the processor actually carries out its work as agreed. So the controller must supervise the processor. This can be done by sending them questions about the data processing or visiting them.
It is therefore NOT sufficient to simply have a data processor agreement.
How to supervise a data processor
When you need to carry out an audit, it should include an audit of compliance with your data processing agreements.
There are three main ways to conduct an audit:
Your data processor itself can provide an independent monitoring report through, for example, their website or send it through email to your organisation
You can hire an independent third party to conduct an audit of your data processor(s). This is most relevant for medium or large companies, as hiring an external party can be costly
You can carry out the monitoring yourself. You can either show up at the data processor's address or do a "desk review" by sending them an email with some questions.
Data processors rarely prepare an audit statement themselves. In practice, it is therefore a difficult task for your company to comply with these rules. If you have to do the monitoring yourself, that is another task for your organisation.
If the processing of personal data involves a high risk for the data subjects, i.e. there is a high risk of security breaches or sensitive or confidential personal data is processed, you should monitor every 6 months. If the data processor processes a limited amount of ordinary personal data, then monitoring may be carried out less frequently, for example once a year or once every two years.
Joint data controller - when there is more than one controller
In some cases, there may be two or more parties responsible for the same personal data. And controllers can either be independent or joint controllers.
An example might be that there are three different companies: an airline, a hotel agency and a travel agent. The travel agent sends information about some customers who need to book a trip to the airline and the hotel agency. Here, all three companies process personal data for their own purposes and by their own means. They are therefore three independent data controllers.
But if the three companies join forces to offer package holidays and they create a website and they jointly decide why and how to process personal data, then they have joint data responsibility. When you are a joint controller, everyone is liable for the consequences if personal data is not processed properly.
Rights and duties of a data controller
A data controller has a number of obligations that must be respected. The controller must carry out risk assessments of its business or public authority to identify the risk of a security breach. A security breach is defined in the GDPR as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
A security breach can be when an organisation discloses data without permission, or when data is deleted from the data subject when it should still be used.
To avoid a security breach, an organisation must ensure that "appropriate technical and organisational security measures" are implemented. This may include ensuring that all IT systems are well protected and that all employees are trained on GDPR rules.
It is the Data Protection Authority that sets fines for organisations if they discover that an organisation is not complying with data protection rules.
So it is very important that you know in your company who is the data controller, who is the data processor and if there might be several data controllers.
About the author
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.