Reading time: 5 minutes

Depending on your business model, you may need to comply with the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR applies both to businesses within the EU and to some in Australia. If the GDPR covers your business, you will need to determine whether you are a “controller” or a “processor” of personal information, or both. Depending on whether you are a controller or processor will determine what your obligations are under the GDPR. This article will explain the difference between a controller and processor of data under the GDPR.

Who Does the GDPR Apply To?

The first step is to determine whether the GDPR applies to your business. The GDPR applies to businesses that:

  • are physically located in the EU;
  • target their goods or services to individuals in the EU; or
  • monitor individuals in the EU.

For example, simply allowing EU individuals to access your website does not necessarily mean you have to comply. However, if you offer products in a European currency, you will likely need to comply with the GDPR.

If the GDPR applies to your business, the next step is to assess the way you process personal data, as either a controller or a processor. 

What Is a Controller?

A controller is an entity that decides which personal data to collect from individuals. They then also decide how they will use that data. 

For example, if you are an online retailer and you collect the contact details of your customers, you are deciding which information to collect and are a controller. 

If your company is a controller, you will process data on many different occasions. 

For example, this may be when you:

  • collect contact details to communicate with customers; 
  • run analytics on your app to look for trends with the way users engage with your app; and
  • use cookies on your website. 

Each time you process data as a controller, you will need to choose a legal basis on which to do so. The table below explains the legal bases available to you.

ConsentThe individual has consented to you processing their personal data.
Performing a contractThe processing is a part of your obligations under a contract you have with the individuals.
Vital interestsThe processing is necessary to protect the vital interests of the individual.
Public interestThe processing is necessary for performing a task in the public interest.
Legal obligationYou are processing to comply with your businesses’ legal obligation.
Legitimate interests Processing is necessary for your businesses’ legitimate interests (this is self-assessed by you).

What Is a Processor?

A processor is a business which is instructed to process personal data by a controller. This often occurs in the context of performing services for that controller. 

For example, a third-party payment processor (TPPP) like PayPal, that processes payments on behalf of an online retailer. Here, the retailer is a controller and the TPPP is a processor.

To slightly complicate the matter, the TPPP could also be a controller in this situation if it holds the contact details of a key contact or employee of the online retailer. Businesses can be controllers of some information and processors of other information. The distinguishing factor is who makes the decisions on: 

  • which information is collected; and
  • how to use the information.

Data Processing Agreements

The GDPR requires that controllers and processors have an agreement in place with their respective processors and controllers. Called a data processing agreement, this document should set out the way each party handles personal data. Importantly, this allows controllers to ensure that processors adhere to the same obligations that they are required to uphold.

For example, a mobile app business that collects its users’ personal data is a controller. The business may also use a developer to provide ongoing development for the app. While building and updating the app, that developer may use and analyse the personal data originally collected by the app business.

Here, the developer is acting as a processor. The app business will have obligations under the GDPR and will need to make sure that the developer will comply with these responsibilities.

To ensure that processors fulfil the privacy obligations of a controller, it is a good idea to use a data processing agreement that sets out how they must handle the personal data.

Non-Compliance With the GDPR

There are many other obligations that you will need to comply with under the GDPR. If you fail to do so, your business may face investigations and fines by EU regulators.

For example, in January 2019, a French regulator fined Google €50 million (approximately AUD$79 million) for not adequately obtaining informed consent from individuals.

In the future, the EU regulators may investigate and impose sanctions on Australian businesses operating in the EU.

Key Takeaways

If the GDPR applies to your business, it is crucial to know whether you are a controller or processor. This is important as controllers and processors have different compliance obligations under the GDPR. If you fail to comply with the GDPR, your business may face large fines.

LegalVision cannot provide legal assistance with this topic. We recommend you contact your local law society.


Redundancies and Restructuring: Understanding Your Employer Obligations

Thursday 7 July | 11:00 - 11:45am

If you plan on making a role redundant, it is crucial that you understand your employer obligations. Our free webinar will explain.
Register Now

How to Sponsor Foreign Workers For Your Tech Business

Wednesday 13 July | 11:00 - 11:45am

Need web3 talent for your tech business? Consider sponsoring workers from overseas. Join our free webinar to learn more.
Register Now

Advertising 101: Social Media, Influencers and the Law

Thursday 21 July | 11:00 - 11:45am

Learn how to promote your business on social media without breaking the law. Register for our free webinar today.
Register Now

Structuring for Certainty in Uncertain Times

Tuesday 26 July | 12:00 - 12:45pm

Learn how to structure to weather storm and ensure you can take advantage of the “green shoots” opportunities arising on the other side of a recession.
Register Now

Playing for the Prize: How to Run Trade Promotions

Thursday 28 July | 11:00 - 11:45am

Running a promotion with a prize? Your business has specific trade promotion obligations. Join our free webinar to learn more.
Register Now

Web3 Essentials: Understanding SAFT Agreements

Tuesday 2 August | 11:00 - 11:45am

Learn how SAFT Agreements can help your Web3 business when raising capital. Register today for our free webinar.
Register Now

Understanding Your Annual Franchise Update Obligations

Wednesday 3 August | 11:00 - 11:45am

Franchisors must meet annual reporting obligations each October. Understand your legal requirements by registering for our free webinar today.
Register Now

Legal Essentials for Product Manufacturers

Thursday 11 August | 11:00 - 11:45am

As a product manufacturer, do you know your legal obligations if there is a product recall? Join our free webinar to learn more.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Jessica Anderson

Our Awards

  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards