The GDPR distinguishes between two main roles: those of data controller and data processor. This distinction is crucial as the data controller bears more responsibility and has to fulfil more obligations than the processor.
Data controllers and processors can be natural or legal persons, for example: an SME, a public authority, a company, an organisation, a state body, an association etc.
A data controller determines the purposes and means of a processing operation. In other words, the controller decides the how and why of a processing operation. Whereas processors process personal data on behalf of the controller. The processing carried out by processors needs to be regulated by a contract with the data controller or other legal act.
Examples of data controllers:
- companies that process the personal data of their customers to complete a sale;
- financial institutions that process personal data of their clients;
- associations that process the data of their members;
- schools or universities that process personal data of students and teachers;
- hospitals that process personal data of their patients;
- government agencies that process personal data of citizens.
Examples of data processors:
- an SME hires a bookkeeping service to keep its books and records, the SME is a data controller and the bookkeeping service a data processor;
- a payroll company processes personal data for an SME. The payroll company will act as a processor if it solely processes the personal data on behalf of the SME. The SME determines the purposes and means of the data processing, and is therefore data controller.
- an SME commissions a marketing company to collect email addresses via third-party websites. The marketing company does this according to the explicit instructions of the SME and for the SME’s exclusive purposes. The marketing Company acts as processor for this collection.
More information: