What is a data controller?
When is a company considered a data controller under GDPR?
Can you have many companies acting as joint controllers?
In this article, we will break down the concept of the data controller as defined under the General Data Protection Regulation.
Let’s get started!
A data controller is a company collecting personal data and determining the purpose for which personal data is collected and the means used to process the data.
In other words, an individual or a company can be considered a data controller in the following instances:
- It determines why personal data is collected
- It determines how personal data is collected
Article 4(7) GDPR defines a data controller as:
“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”
The key takeaway from this definition is that a data controller can be:
- A natural person
- A legal person
- A public authority, agency or public body
- Determines the purpose of the processing
- Determines the means of the processing
Let’s look at each of the different aspects of the definition of a controller.
A controller can be a natural person or an individual.
A natural person is an individual with his or her own legal personality, or a human being, as opposed to a legal entity or a company.
If a person collects, uses, processes and stores personal information of an EU data subject or for reasons other than purely personal reasons or for the needs of his or her household activity, that person can be considered a data controller.
A data controller can be a legal person.
By “legal person” we mean:
- A corporation
- A partnership
- A cooperative
- Unincorporated associations
A legal person is any legal entity, or non-living entity, given a juridical personality and given certain rights as a natural person under the law.
A public authority, agency or body
A public authority is an agency created by the government to support the public and the overall economy.
A public agency can be a commission, board, county, city, district or regional district.
A public body refers to corporations and legal entities operated by the state or government.
All of these entities managed, operated or controlled by the government can be data controllers.
Determines the purpose of the processing
To distinguish a data controller from a data processor, GDPR requires that we look at the purpose of the processing.
Who defines the purpose of data processing?
This is an important question to answer.
Depending on who is determining the purpose of the data processing, that individual, legal entity or public organization will be considered the data controller and must adhere to all the controller obligations under GDPR.
The data controller will need to define the purpose and ensure it is able to process personal data based on a lawful basis.
Determines the means of the processing
The data controller is the organization determining the means by which personal data will be processed, stored, used and destroyed.
This is another aspect allowing us to determine whether or not an organization is a data controller.
For a company to decide on the means, we are referring to the level of control and authority to decide as to the means.
If a company collects personal data and decides that the data will be processed through a particular system or systems, defines the data flow, defines how to store the data for how long, you have a company defining the means.
A company may delegate some aspects of the processing to a data processor but that does not impact their qualification as a data controller.
Data controller’s responsibility
The data controller has the most responsibility with regards to data privacy and data protection under GDPR.
Data controllers have strict GDPR responsibilities as they are the ones determining the purpose of the data processing activities and establishing the means to achieve that purpose.
As a result, the law is designed to ensure the controller takes the necessary accountability for its data processing operations.
A data controller can process personal data using its own means and technology but can also work with third parties to process the activities.
Although a company may delegate certain processing activities to a third party, it will remain the data controller as it remains responsible to instruct the third-party on how to process the data.
GDPR responsibilities of a controller
GDPR imposes many responsibilities on the data controller, namely:
- It must disclose its processing purpose and lawful basis to data subjects
- It must comply with the GDPR data processing principles
- It must oversee data processors
- It must implement technical and organizational means to protect the data
- Ensure data processing is secure by encrypting data, pseudonymizing data or other measures
- It must ensure data is lawfully transferred to third countries
- It must notify the supervisory authorities of data breaches
- It must notify the data breach to data subjects when required
- It must enter into data processing agreements with data processors
- It must be able to demonstrate and prove compliance with GDPR
- It must continually evaluate its processing operations, purpose and its compliance with GDPR
- It must consult with the supervisory authorities when required
- It must appoint a data protection officer when required
Examples of when a company is a data controller
Here are some examples of how data controllers acquire GDPR responsibilities when collecting and processing personal data:
- They set up a website to collect personal information
- They decide how personal data will be used after it is collected
- They decide to handle the processing themselves or not
- They decide to which processor they will delegate processing activities
- They decide what data processing activity they will delegate to a third party
- They decide which internal stakeholders can have access to personal data
- They decide how long they will process the data
- They decide how data will be destroyed
- They decide to process data based on a lawful basis that applies to them
- Must implement data protection by design and by default
- Has to keep records of its data processing operations
- Must carry out a data protection impact assessment when there is a high risk to data subjects
Joint data controllers
Companies working in collaboration with others and together deciding why and how personal data is collected may be considered joint controllers.
When a possibility arises that a few companies can be considered as joint controllers, they will need to enter into an agreement defining each of their responsibilities relating to the processing of personal data.
The arrangement between the parties must be disclosed to the data subject.
For example, if a company is instructed to run analytics for another, then it’s clear that it’s a processor.
In this case, the processor is not collecting the personal data or determining the purpose or means.
However, if the same company is given personal data to perform analytics and it uses the data with other data to run the analytics, the organization will become a joint controller as it decides what other data to use and how to use it.
Data controller vs data processor
What is the difference between a data controller and a data processor?
The main difference between controller and processor
By definition, a data controller is an organization that determines the purpose of data processing and the means to achieve its purpose.
The data processor, on the other hand, processes personal data given to it for a very specific purpose as mandated by the controller.
For example, a company can outsource its cloud storage environment to a third party.
The third-party, or the processor, obtains personal data strictly for storage purposes and processes the data received only for storage purposes.
Other than that, the processor does not process the data in any other way.
If the data processor uses the data in a manner not authorized by the controller or with other data, then it may become a controller with respect to its ‘new’ processing operations.
Rule of thumb
A good rule of thumb is if an organization follows the instructions of another, then it’s a data processor.
The processor generally works on behalf of another organization.
If a company does not determine the purpose and means of processing, then it will be a controller.
A data controller may not have the ability to handle every aspect of its business.
As a result, if a controller tasks another company for specific processing activities benefiting it in achieving its purpose, you are dealing with a data controller.
Difficulty to define who is controller or processor
In some cases, it may be difficult to clearly define a company’s role.
Is the company a data controller or a data processor?
There may be instances that the role of a data controller or data processor is not clear cut.
Generally speaking, you are a data processor if you:
- Store data for another
- Do analytics for another
- Act on instructions of another
- Don’t collect the data yourself
- Do not have any purpose other than serving the other company’s needs
You are a data controller when:
- You decide how to use the personal data
- You define the means on how to collect personal data
- You select the data processor
- You instruct the processor what you want to delegate
- You give the personal data
- You enable the processor to collect the personal data on your behalf
GDPR principle and data controllers
GDPR outlines 7 data processing principles organizations must observe.
These principles are:
- Lawfulness, fairness and transparency of data processing
- Purpose limitation
- Data minimization
- Data accuracy
- Storage limitation
- Integrity and confidentiality (security)
Data controllers are responsible to observe these principles.
Even when hiring a data processor, data controllers remain responsible for the data subject and will be responsible to comply with these GDPR principles.
Working Party 29’s opinion on the concept of “controller” and “processor”
On February 16, 2010, Article 29 Data Protection Working Party issued an opinion on the concept of “controller” and “processor”.
The opinion was issued at the time of the data protection Directive 95/46/EC.
The concepts are worth mentioning.
The Working Party indicated that data controllers are able to exert control on the essential elements of the data processing.
When processing personal data, a company should have a proper understanding of its role.
Is it acting as a data controller or a data processor?
Depending on the role of a company, GDPR will impose different compliance obligations.
In this article, we covered how GDPR may define a data controller to help you in your assessment.