Controllers and processors
Whether you are a controller or processor depends on a number of issues. The key question is – who determines the purposes for which the data are processed and the means of processing?
Regardless of how organisations describe themselves in any contract about processing services, it will be a matter of fact as to whether an organisation is a controller, i.e. whether it determines the purposes and means of processing.
- Understanding your role in relation to the personal data you are processing is crucial in ensuring compliance with the law and the fair treatment of individuals.
- Your obligations under the law will vary depending on whether you are a controller, joint controller or processor.
- The Commissioner has the power to take action against controllers and processors.
- Individuals can bring claims for compensation and damages against both controllers and processors.
- Take time to assess, and document, the status of each organisation you work with in respect of all the personal data and processing activities you carry out.
Can you be both a controller and a processor of personal data?
Yes. If you are a processor that provides services to other controllers, you are very likely to be a controller for some personal data and a processor for other personal data. For example, you will have your own employees so you will be a controller regarding your employees’ personal data. However, you cannot be both a controller and a processor for the same processing activity.
In some cases, you could be a controller and a processor of the same personal data – but only if you are processing it for different purposes. You may be processing some personal data as a processor for the controller’s purposes and only on its instruction, but also process that same personal data for your own separate purposes.
In particular, if you are a processor, you should remember that as soon as you process personal data outside your controller’s instructions, you will be acting as a controller in your own right for that element of your processing.
If you are acting as both a controller and processor, you must ensure your systems and procedures distinguish between the personal data you are processing in your capacity as controller and what you process as a processor on another controller’s behalf. If some of the data is the same, your systems must be able to distinguish between these two capacities, and allow you to apply different processes and measures to each. If you cannot do this, you are likely to be considered a joint controller rather than a processor for the data you process on your client’s behalf.