Skip to 0 minutes and 7 seconds In Week 1, we have briefly introduced data controllers, joint controllers, and processors. In this video, we will zoom in on these concepts. And in the following steps for this week, we will discuss their corresponding GDPR obligations. In brief, data controllers are those who determine the purposes and means of processing personal data. When two or more controllers do so jointly, they are joint controllers. Processors, on the other hand, are those engaged in processing personal data on behalf of controllers. They will follow instructions given by controllers and cannot make decisions on the choice of purposes and means in data processing.
Skip to 0 minutes and 46 seconds For example, if a company, the controller, uses Google’s cloud service, Google, the processor, may not disclose, disseminate, or otherwise make the data available to another company without clear permission of the controller. To identify controllers and processors, the key is to establish who determines purposes and means of data processing. Purposes and means are thus the most important factor in identifying controllers, joint controllers, and processors. EU and national law determine the purposes and means and the related criteria to nominate controllers. To make these concepts more clear, visualise a ship. Imagine that it is processing data. The data controller is the captain of the ship. And the data processors are the sailors.
Skip to 1 minute and 32 seconds This analogy can be used to identify many similarities, relationships, roles, and obligations. Like a captain, a data controller manages and controls the processing of the data, the ship. He determines the purposes, the destination, and the means, or the course of the voyage. Like a sailor, a processor is contracted by the controller to carry data processing for the purpose and with the means determined by the controller. Processors, sailors, act under captain’s instructions and report issues to the controller. The only difference in this analogy might be that there is only one captain in control of a ship, while there could be several captains or joint controllers on the ship of data processing. That’s now illustrate this with an example.
Skip to 2 minutes and 18 seconds If your company or institution is using the cloud service provided by Google for business purposes, then your company is the captain, or data controller, who determines the purposes of data processing and its means using the cloud service. Google is the sailor, or data processor, who processes data on your company or institution’s behalf, like the crew of a ship who cannot act without the authorisation of the captain. If your company or institution conducts an online survey jointly with another company or institution, for example, for market promotion purposes, and both agree to share and process the collected data via Google’s cloud service, then both companies or institutions are joint controllers. Google is still the data processor.
Skip to 3 minutes and 4 seconds Data processors, like sailors, are the crew of the ship and have fewer responsibilities and obligations than controllers. Many of the responsibilities and obligations are similar to those of data controllers, such as ensuring data security and maintaining a record of data processing, while other responsibilities and obligations are specific to data processors. Data controllers, including joint controllers, like captains, take more responsibilities and obligations under the GDPR. They have to take appropriate technical and organisational measures to ensure the rights to privacy and data protection of data subjects. For a general overview of the major GDPR obligations for data controllers, joint controllers, and processors, please watch the following videos for this week.
Skip to 3 minutes and 50 seconds If you want to know more, a more detailed explanation can be found in the following steps for this week.
Who are controllers and processors?
Who are data controllers, joint controllers and processors and what are their obligations? Watch this video to find out more.
The definitions in Article 4 GDPR determine who controllers and processors are. Controllers are those who determine the purposes and means of processing personal data. Processors are those engaged in processing personal data on behalf of controllers. To identify controllers and processors, the key is thus to establish who determines the purposes and means of data processing. Purposes and means meaning are the reasons and modalities for collecting personal data: which data is collected for what reason, why is this data collected and what will it be used for? The actor who determines this is the controller and the actor who assists the controller in processing activities is the processor.
To make this more clear: if you visualise a ship and imagine that it is processing data, the controller is the captain and the processors are the sailors. A controller manages and controls the processing of the data (the ship), he determines the purpose (the destination), and the means (or the course of the voyage). A processor is contracted by the controller to carry out data processing for the purpose and with the means determined by the controller. Processors (sailors) act under captain’s instruction and report issues to the controller.
For example, a company has personnel and clients. It needs to have an administration with personal data on its staff and clients (name, date of birth, address, etc.). This administration is kept in electronic files. It will need an IT infrastructure to facilitate this. If the company decides to contract external parties for salary administration and IT, the company determines which data is processed for what reason. The company is the controller because it determines the purposes and means. The external parties process the data on behalf of the company and under its instructions. The salary administration and IT services are processors.
Both controllers and processors have responsibilities and obligations under the GDPR.
© University of Groningen