Controller and processor

An important factor in setting up both internal and external processes is the knowledge of what duties and responsibilities a particular subject has in a particular situation to ensure compliance with the European GDPR. This Regulation will help you to understand the position of the subject and its rights and obligations regarding the collection, storage and processing of personal data.

Who is the controller?

 The role of the personal data controller has played a role in previous legislation and thus continues to play a key role in the processing of personal data. The controller acts as the so-called responsible person for the lawful and correct observance of the processing of personal data.

 Controller is: 

  • anyone who, alone or together with others, defines the purpose of personal data processing, determines the conditions of their processing and processes personal data in his own name and systematically (only the controller can process personal data mentioned above in his own name).
  • a person who fulfills the conditions of the law, as well as a person who derives this provision directly from a special law (for example, a banking institution);
  • a person responsible for taking appropriate technical and security measures to ensure and be able to demonstrate that processing is carried out in accordance with GDPR Regulation.

 It is important to note, that a person who processes personal data for its own use in the course of personal activities or processes personal data obtained accidentally, is not in the position of controller.

Who is the processor?

One of the controller’s responsibilities is to make sure that the subjects that have access to the processed data are quality and serious. There are situations in which the data processing controller entrusts a so-called externalist, e.g. external accountant. However, the processor does not have to be just an external accountant who has access to personal data based on accounting documents. A cloud service controller may also be in the position of a processor, who may not have access to the data, but that data is stored on its hardware resources through its software applications. In this case, the data controller allows these subjects to process the data provided to them, e.g. employee data. It must, however, specify precisely what data, for what purpose and in what way will the subjects process. This puts them (external accountant and cloud service controller) in the position of personal data processor.

Processor is : 

  • a person authorized by the controller who processes personal data on behalf of the controller (such processing is governed by a contract or other legal act under Union or Member State law),
  • a person who ensures that persons authorized to process personal data undertake to maintain the confidentiality of information;
  • a person who helps the controller to the greatest extent possible by appropriate technical and organizational measures in the performance of its duties,
  • the person who takes the required measures and complies with the terms of the articles of the GDPR.

Although each of the above subjects has defined their “tasks” in terms of GDPR, they both carry a high level of responsibility and bear the risk of a personal data breach that may affect the rights and freedoms of the data subjects. However, it is not always easy to redistribute tasks between controller and processor. This is also served by the GDPR, which creates a framework and tasks in case when problems appear. A common example in which the identification and allocation of tasks is crucial is a breach of data protection (e.g. loss of information, information leak, etc.). In that case, the companies affected by the infringement must ensure that all of their specific positions act in accordance with their responsibility.

One important aspect of the relationship between controller and processor is the so-called mediation contract.

What is mediation contract?

It is essential to ensure that there is a clear and specific agreement on data processing (mediation contract) before the processing of personal data is handed over to a third party. Simply put, it is a written division of competences and responsibilities between subjects. The mediation contract must contain the necessary particulars, namely:

  • the subject and time of processing of personal data,
  • purpose of processing,
  • type of personal information,
  • categories of data subjects,
  • rights and duties of the controller.

The Personal Data Protection Regulation is a solid basis for ensuring the supervision of the controller throughout the entire period of processing of personal data. Therefore, there should never be a situation where the controller doesn´t know who, where or how it processes the personal data of its clients, employees, patients and the like.