What Is the Difference Between a Controller and Processor Under the GDPR?

< Back to Data and Privacy
March 11, 2020

Depending on your business model, you may need to comply with the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR applies both to businesses within the EU and to some in Australia. If the GDPR covers your business, you will need to determine whether you are a “controller” or a “processor” of personal information, or both. Depending on whether you are a controller or processor will determine what your obligations are under the GDPR. This article will explain the difference between a controller and processor of data under the GDPR.

Who Does the GDPR Apply To?

The first step is to determine whether the GDPR applies to your business. The GDPR applies to businesses that:

  • are physically located in the EU;
  • target their goods or services to individuals in the EU; or
  • monitor individuals in the EU.

For example, simply allowing EU individuals to access your website does not necessarily mean you have to comply. However, if you offer products in a European currency, you will likely need to comply with the GDPR.

If the GDPR applies to your business, the next step is to assess the way you process personal data, as either a controller or a processor. 

What Is a Controller?

A controller is an entity that decides which personal data to collect from individuals. They then also decide how they will use that data. 

For example, if you are an online retailer and you collect the contact details of your customers, you are deciding which information to collect and are a controller. 

If your company is a controller, you will process data on many different occasions. 

For example, this may be when you:

  • collect contact details to communicate with customers; 
  • run analytics on your app to look for trends with the way users engage with your app; and
  • use cookies on your website. 

Each time you process data as a controller, you will need to choose a legal basis on which to do so. The table below explains the legal bases available to you.

ConsentThe individual has consented to you processing their personal data.
Performing a contractThe processing is a part of your obligations under a contract you have with the individuals.
Vital interestsThe processing is necessary to protect the vital interests of the individual.
Public interestThe processing is necessary for performing a task in the public interest.
Legal obligationYou are processing to comply with your businesses’ legal obligation.
Legitimate interests Processing is necessary for your businesses’ legitimate interests (this is self-assessed by you).

What Is a Processor?

A processor is a business which is instructed to process personal data by a controller. This often occurs in the context of performing services for that controller. 

For example, a third-party payment processor (TPPP) like PayPal, that processes payments on behalf of an online retailer. Here, the retailer is a controller and the TPPP is a processor.

To slightly complicate the matter, the TPPP could also be a controller in this situation if it holds the contact details of a key contact or employee of the online retailer. Businesses can be controllers of some information and processors of other information. The distinguishing factor is who makes the decisions on: 

  • which information is collected; and
  • how to use the information.

Data Processing Agreements

The GDPR requires that controllers and processors have an agreement in place with their respective processors and controllers. Called a data processing agreement, this document should set out the way each party handles personal data. Importantly, this allows controllers to ensure that processors adhere to the same obligations that they are required to uphold.

For example, a mobile app business that collects its users’ personal data is a controller. The business may also use a developer to provide ongoing development for the app. While building and updating the app, that developer may use and analyse the personal data originally collected by the app business.

Here, the developer is acting as a processor. The app business will have obligations under the GDPR and will need to make sure that the developer will comply with these responsibilities.

To ensure that processors fulfil the privacy obligations of a controller, it is a good idea to use a data processing agreement that sets out how they must handle the personal data.

Non-Compliance With the GDPR

There are many other obligations that you will need to comply with under the GDPR. If you fail to do so, your business may face investigations and fines by EU regulators.

For example, in January 2019, a French regulator fined Google €50 million (approximately AUD$79 million) for not adequately obtaining informed consent from individuals.

In the future, the EU regulators may investigate and impose sanctions on Australian businesses operating in the EU.

Key Takeaways

If the GDPR applies to your business, it is crucial to know whether you are a controller or processor. This is important as controllers and processors have different compliance obligations under the GDPR. If you fail to comply with the GDPR, your business may face large fines. If you have any questions about ensuring that you meet your obligations under the GDPR, contact LegalVision’s privacy lawyers on 1300 544 755 or fill out the form on this page.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. For just $199 per month, membership unlocks unlimited lawyer consultations, faster turnaround times, free legal templates and members-only discounts.

Learn more about LVConnect

Get a Free Quote Now

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.
Read other articles by Jessica
Tags
Our Awards
  • 2019 Top 25 Startups - LinkedIn 2019 Top 25 Startups - LinkedIn
  • 2019 NewLaw Firm of the Year - Australian Law Awards 2019 NewLaw Firm of the Year - Australian Law Awards
  • 2020 Fastest Growing Law Firm - Financial Times APAC 500 2020 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review 2020 AFR Fast 100 List - Australian Financial Review
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards 2020 Law Firm of the Year Finalist - Australasian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer 2019 Most Innovative Firm - Australasian Lawyer
Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at info@legalvision.com.au

View Privacy Policy