Am I a Controller or Processor Under the GDPR?

March 11, 2020

Depending on your business model, you may need to comply with the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR applies both to businesses within the EU and to some in Australia. If the GDPR covers your business, you will need to determine whether you are a “controller” or a “processor” of personal information, or both. Depending on whether you are a controller or processor will determine what your obligations are under the GDPR. This article will explain the difference between a controller and processor of data under the GDPR.

Who Does the GDPR Apply To?

The first step is to determine whether the GDPR applies to your business. The GDPR applies to businesses that:

are physically located in the EU;
target their goods or services to individuals in the EU; or
monitor individuals in the EU.

For example, simply allowing EU individuals to access your website does not necessarily mean you have to comply. However, if you offer products in a European currency, you will likely need to comply with the GDPR.

If the GDPR applies to your business, the next step is to assess the way you process personal data, as either a controller or a processor.

What Is a Controller?

A controller is an entity that decides which personal data to collect from individuals. They then also decide how they will use that data.

For example, if you are an online retailer and you collect the contact details of your customers, you are deciding which information to collect and are a controller.

If your company is a controller, you will process data on many different occasions.

For example, this may be when you:

collect contact details to communicate with customers;
run analytics on your app to look for trends with the way users engage with your app; and
use cookies on your website.

Each time you process data as a controller, you will need to choose a legal basis on which to do so. The table below explains the legal bases available to you.

Consent	The individual has consented to you processing their personal data.
Performing a contract	The processing is a part of your obligations under a contract you have with the individuals.
Vital interests	The processing is necessary to protect the vital interests of the individual.
Public interest	The processing is necessary for performing a task in the public interest.
Legal obligation	You are processing to comply with your businesses’ legal obligation.
Legitimate interests	Processing is necessary for your businesses’ legitimate interests (this is self-assessed by you).

What Is a Processor?

A processor is a business which is instructed to process personal data by a controller. This often occurs in the context of performing services for that controller.

For example, a third-party payment processor (TPPP) like PayPal, that processes payments on behalf of an online retailer. Here, the retailer is a controller and the TPPP is a processor.

To slightly complicate the matter, the TPPP could also be a controller in this situation if it holds the contact details of a key contact or employee of the online retailer. Businesses can be controllers of some information and processors of other information. The distinguishing factor is who makes the decisions on:

which information is collected; and
how to use the information.

Data Processing Agreements

The GDPR requires that controllers and processors have an agreement in place with their respective processors and controllers. Called a data processing agreement, this document should set out the way each party handles personal data. Importantly, this allows controllers to ensure that processors adhere to the same obligations that they are required to uphold.

For example, a mobile app business that collects its users’ personal data is a controller. The business may also use a developer to provide ongoing development for the app. While building and updating the app, that developer may use and analyse the personal data originally collected by the app business.

Here, the developer is acting as a processor. The app business will have obligations under the GDPR and will need to make sure that the developer will comply with these responsibilities.

To ensure that processors fulfil the privacy obligations of a controller, it is a good idea to use a data processing agreement that sets out how they must handle the personal data.

Non-Compliance With the GDPR

There are many other obligations that you will need to comply with under the GDPR. If you fail to do so, your business may face investigations and fines by EU regulators.

For example, in January 2019, a French regulator fined Google €50 million (approximately AUD$79 million) for not adequately obtaining informed consent from individuals.

In the future, the EU regulators may investigate and impose sanctions on Australian businesses operating in the EU.

Key Takeaways

If the GDPR applies to your business, it is crucial to know whether you are a controller or processor. This is important as controllers and processors have different compliance obligations under the GDPR. If you fail to comply with the GDPR, your business may face large fines. If you have any questions about ensuring that you meet your obligations under the GDPR, contact LegalVision’s privacy lawyers on 1300 544 755 or fill out the form on this page.

Thanks!

We appreciate your feedback – your submission has been successfully received.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.