Data Controller vs. Data Processor. Who's who?
Although GDPR’s definition of the two may seem pretty simple and concise, marketers are still having a hard time trying to figure out who’s what, especially when it comes to automated processing technologies.
And this is mainly because marketing technologies that most websites incorporate have vague privacy policies (and you don’t always get to know how they handle data) and, secondly, because there is a lack of paper trail between parties (that is supposed to reflect and clarify not just the commercial terms, but also the data processing conditions, roles split and responsibilities).
The golden rules of roles division may sound like this:
If you decide the purpose and the means of processing, then you are the data controller.
The one who acts upon your instructions will be the data processor.
Whenever the data processor exceeds its given mandate, it will automatically become a joint-controller with full responsibilities
The data controller is the entity that makes decisions about processing activities. Data controller’s responsibilities:
- to collect the personal data in the first place and have the legal basis for doing so (including consent);
- which items of personal data to collect;
- the purpose or purposes the data are to be used for;
- which individuals to collect data about;
- whether to disclose the data, and if so, who to;
- whether subject access and other individuals’ rights apply and how;
- how long to retain the data.
The processor is any entity contracted by the controller for carrying out the processing. The data processor does not own the data that they process, nor do they control it.
This entity is only delegated to implement the data controller’s instructions regarding to the purposes and the essential means of the processing, so the lawfulness of the processor’s activity should rely on a very clear mandate given by the controller.Data processors can make decisions regarding:
- what IT systems or other methods to use to collect personal data;
- how to store the personal data;
- the detail of the security surrounding the personal data;
- the means used to transfer the personal data from one organisation to another;
- the means used to retrieve personal data about certain individuals;
- the method for ensuring a retention schedule is adhered to;
- the means used to delete or dispose of the data.
Sometimes roles and responsibilities may change, especially in digital marketing and complicated processing chaining.
A data processor exceeding the controller’s mandate will become a joint-controller (also known as “co-controller”).
Joint controllers must enter into an arrangement reflecting their responsibilities for complying with the GDPR.
The main aspects of the arrangement between the joint controllers must be communicated to the individuals whose data is being processed.
This is an important aspect that every marketer should pay attention to. And this is because most of marketing technology providers would rather consider themselves data processors, even though there are situations when the data processing exceeds the controller’s mandate. The “benefit” of being a data processor is, of course, the amount and the type of responsibilities (the legal ground for data processing, for example, is the data controller’s responsibility, on which the processor relies).
As the main data controller, you should accept your tech provider’s “processor” role only if you are assured that they will not exceed your instructions when it comes to handling your users’ data, beyond your knowledge or control. Otherwise, you will act as joint controllers and you will have to share responsibilities and inform users about your arrangement.
Let’s take Facebook as an example:
When you run campaigns with Facebook, Facebook is data controller. However, if you have the Facebook pixel code installed on your website, you are responsible for getting consent to process user data before firing the pixel. lear more here
Keep in mind that in order to establish a fair role split, a rigorous analysis of each processing activity should be made, so that each party would be aware of its responsibilities under GDPR.
Written Data Protection Agreements (or Addendums) should also regulate the particularities of data processing – such as scope and purpose – as well as the relationship between the controller and the processor, including liabilities and guarantees.
When a paper trail is not quite handy, carefully read your technology providers’ terms and conditions so you can have a clear understanding of when you act as a data controller and make sure that you implement all the required measures on your end.
Need to dig deeper?
How we can help:
We have mapped 200+ companies and technologies with their data and privacy policies into a database that we maintain regularly
All this data is available inside every version of Avandor Consent and automatically pre-filled to show relationships and control over the processed data.Check out our GDPR database →
Sometimes we perform audits and discovery of roles and responsibility for clients.
We work closely with the client in order to discover and clarify all relationships with various vendors and/or technology providers in order to determine what role each company has in the data processing.
this is included by default in our PRO and Enterprise service packages.Need help? Contact us →
We are providing a consent solution truly compliant with the GDPR requirements.
Avandor Consent automatically detects what's running on your sites and uses the database to provide detailed information about purposes, companies, roles and responsibilities, to inform the user and obtain valid consent, where needed. Then, it acts as a tag manager by allowing usage only for the applications that have received consent.Check it out → Compare solutions →
Georgiana BedivanHead of Compliance
We've struggled to understand GDPR so you won't have to. Learn from our experience →
Since everyone is scared by penalties, we wrote and asked the Romanian Data Protection Authority (ANSPDCP) some questions about how GDPR will apply to the online processing. Here's what they had to say...read more
The common misbelief is that compliance on digital properties equals cookie consent. But the truth is that GDPR is not about cookies, but about who set those cookies and what for.read more
Some have tried with cookie consent, others with implicit consent like "by continuing to use this website...", and others simply closed their sites to European citizens.read more
Consent is just one of six lawful bases to process personal data, as listed in the GDPR. It may not always be necessary, but when it is, you have to make sure it is properly obtained and stored.read more
Although GDPR’s definition of the two may seem simple and concise, marketers are still having a hard time trying to figure out who’s what, especially when it comes to automated processing technologies.read more
As site owners’ challenge these days is to ensure compliance on digital assets, you should know that most of the apps and technologies you use for marketing purposes do profiling.read more
Starting with May 25th, a lot of misinformation regarding GDPR has been spread so understanding the basic principles of this new regulation and how to get compliant proved to be overwhelming.read more
As per today’s practices you can’t really help but using Facebook as part of your marketing strategy. However, the question that arises since the 25th of May is who is responsible for obtaining consent.read more