The concepts of the “data controller” and “data processor” were established by the 1995 EU Data Protection Directive and remain fundamentally similar under the GDPR. This does not mean they are straightforward or mutually exclusive.
In practice, the application of these concepts has become increasingly complex due to the evolving nature of the business environment, the increased sophistication of outsourcing, and the growing tendency of organisations to centralise IT systems. However, they remain key for determining the allocation of legal obligations under the GDPR, which is essential for protecting the rights and freedoms of data subjects.
A data controller is the natural or legal person or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. In other words, the data controller is the key decision maker with regards to personal data.
As a result, most of the responsibilities for compliance with the GDPR fall on the data controller’s shoulders. For example, the data controller is responsible for providing information to data subjects, ensuring that processing has a legitimate basis and that the data subject’s rights are honoured, carrying out data protection impact assessments in the case of “high risk” processing, ensuring that there is appropriate security for data, and determining whether notification to the ICO or data subjects is necessary in case of a personal data breach.
The data processor has some obligations under the Regulation (e.g., ensuring its international data transfers comply with the Regulation, having appropriate security in place, and notifying data controllers if there is a data breach), but it remains very much a subordinate figure, required by contract to process personal data only on documented instructions from the controller, who retains most liability under the Regulation. It is evident from this that determining the status of parties processing personal data is a critical issue, since, in most cases, the data controller will be the first target of the enforcement actions of the ICO.
In practice, the key aspect of a data controller is the ability to determine the purposes for which personal data is being collected, stored, used, altered and disclosed. In contrast, a processor is a person, other than an employee of the controller, who processes personal data on behalf of a controller.