Controller or processor? The difference explained simply!

Why do I need to know whether I am a processor or a controller?

Depending on your role in the processing of personal data, you have different requirements in terms of contractual and documentation obligations. Ideally, you should start your data protection journey with the record of processing activities (RPA) and define here which role you take on for which activity. If you create the DPIA with a tool such as Metasoul, you have already laid the foundation for taking the correct obligations of the respective role into account.

How do I know when I am a processor or a controller?

As already mentioned, you can be either the controller or a processor of personal data.

You are the controller if you have full control over what data you collect, for what purpose and how this data is used. As an example, this could be a small local restaurant that operates a website where customers can book tables. The restaurant decides which personal data (such as name, telephone number, e-mail address) is collected from customers and how this data is used to process reservations and possibly send advertising for future offers. If you are the controller, you usually work together with other service providers or suppliers who help you with the processing of data. This could be Microsoft, because you use Outlook for customer communication, or the hosting provider on which your website runs. These service providers or tool providers are your processors. You should know who your processors are for each process in VVT where you are the controller.

You are a processor if another company provides you with data from its customers or employees with a clear instruction as to what you should do with it. You are not free to decide what you do with the data. For example, this could be an IT service provider that has been commissioned by the restaurant to operate and maintain the website. The IT service provider has access to the personal data of customers that is collected on the website, but it may only process this data as specified by the restaurant and not use it for its own purposes. If you are a processor, this means that you have customers for whom you provide a service. You will probably also have processors who support you in providing services to your customer. From your customer's perspective, these are sub-processors. For each process in the VVT where you are a processor, you should know who your customers and your sub-processors are for the respective process.

If you use a tool such as Metasoul, after deciding whether you are a controller or processor, you will be asked who your processors or your customers and the associated sub-processors are.

Quite simple really, isn't it? There is a third, rather rare role that we have not yet mentioned: the joint controller. Here you work together with other companies and decide together with the others which data you collect for which purpose and how this data is used, or it must be agreed who has to assume which data protection responsibilities. For example, this could be two independent retail businesses in the same city that decide to offer a joint customer card that can be used in both shops. Both shops jointly decide what data is collected from customers and how this data is used to grant discounts and send advertising for both shops. They must agree on who does what, and they are both responsible for ensuring that the data processing complies with data protection laws.

Conclusion

For the correct creation of contracts relevant to data protection, but also for the correct documentation in the record of processing activities, it is important to know when you are a controller or a processor. While a controller determines which data is collected and processed for which purpose, the processor is told how to process which data. In addition to the two roles mentioned above, there is also the role of „joint controller“.