What Is the Difference Between a Controller and Processor Under the GDPR?

Depending on your business model, you may need to comply with the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR applies both to businesses within the EU and to some in Australia. If the GDPR covers your business, you will need to determine whether you are a “controller” or a “processor” of personal information, or both. Depending on whether you are a controller or processor will determine what your obligations are under the GDPR. This article will explain the difference between a controller and processor of data under the GDPR.

Who Does the GDPR Apply To?

The first step is to determine whether the GDPR applies to your business. The GDPR applies to businesses that:

• are physically located in the EU;
• target their goods or services to individuals in the EU; or
• monitor individuals in the EU.

If the GDPR applies to your business, the next step is to assess the way you process personal data, as either a controller or a processor. 

What Is a Controller?

A controller is an entity that decides which personal data to collect from individuals. They then also decide how they will use that data. 

If your company is a controller, you will process data on many different occasions. 

For example, this may be when you:

• collect contact details to communicate with customers; 
• run analytics on your app to look for trends with the way users engage with your app; and
• use cookies on your website. 

Each time you process data as a controller, you will need to choose a legal basis on which to do so. The table below explains the legal bases available to you.

What Is a Processor?

A processor is a business which is instructed to process personal data by a controller. This often occurs in the context of performing services for that controller. 

To slightly complicate the matter, the TPPP could also be a controller in this situation if it holds the contact details of a key contact or employee of the online retailer. Businesses can be controllers of some information and processors of other information. The distinguishing factor is who makes the decisions on: 

• which information is collected; and
• how to use the information.

Data Processing Agreements

The GDPR requires that controllers and processors have an agreement in place with their respective processors and controllers. Called a data processing agreement, this document should set out the way each party handles personal data. Importantly, this allows controllers to ensure that processors adhere to the same obligations that they are required to uphold.

Here, the developer is acting as a processor. The app business will have obligations under the GDPR and will need to make sure that the developer will comply with these responsibilities.

To ensure that processors fulfil the privacy obligations of a controller, it is a good idea to use a data processing agreement that sets out how they must handle the personal data.

Non-Compliance With the GDPR

There are many other obligations that you will need to comply with under the GDPR. If you fail to do so, your business may face investigations and fines by EU regulators.

In the future, the EU regulators may investigate and impose sanctions on Australian businesses operating in the EU.

Key Takeaways

If the GDPR applies to your business, it is crucial to know whether you are a controller or processor. This is important as controllers and processors have different compliance obligations under the GDPR. If you fail to comply with the GDPR, your business may face large fines. If you have any questions about ensuring that you meet your obligations under the GDPR, contact LegalVision’s privacy lawyers on 1300 544 755 or fill out the form on this page.