Can a non-citizen be a data subject?

Oui, n’importe qui peut être concerné par les données, y compris les résidents, les réfugiés, les touristes et même les personnes se trouvant hors d’un pays où le RGPD s’applique directement. Le fait qu’une personne soit citoyenne d’un pays européen n’a aucune incidence sur le fait qu’elle soit ou non concernée par les données.

Can people outside Europe be data subjects?

Oui, les personnes résidant en dehors de l'Europe peuvent être concernées par les données. Le RGPD s'applique aux organisations qui traitent des données personnelles dans le cadre de leurs activités au sein de l'UE (ou au Royaume-Uni, ou dans l'Espace économique européen au sens large). Ainsi, si vous êtes basé au Royaume-Uni (par exemple) et que vos clients incluent des personnes au Royaume-Uni et aux États-Unis, ils peuvent tous être des personnes concernées avec les mêmes droits.

Are US companies responsible for EU or UK data subjects?

Oui, le RGPD s'applique si vous proposez des produits ou des services dans l'UE ou au Royaume-Uni, ou même si vous utilisez les données des Européens dans vos campagnes de ciblage publicitaire.

Can a child be a data subject?

Oui, un enfant peut être une personne concernée par les données. Le RGPD prévoit des règles spécifiques pour les données personnelles des enfants, mais ils peuvent néanmoins être des personnes concernées par les données.

If someone from outside the EU travels into the EU, are they a data subject?

Oui. Si votre entreprise est soumise au RGPD, la loi s'applique à tout traitement de données personnelles dans le cadre de vos opérations européennes. La nationalité des personnes concernées n'est pas pertinente.

What Is the Difference Between a Data Controller and a Data Processor?

Data plays a crucial role within the modern world of business and technology. It helps us to better understand the world around us and assist people in the ways they require.

In order to effectively use data, it requires careful data management processes to keep people’s information safe - which is why data controllers and data processors are essential. Under the General Data Protection Regulation (GDPR), these two roles define how to process and protect data, as well as maintaining compliance with relevant regulations.

While people sometimes use the terms interchangeably, each one has its own distinct definitions, responsibilities and legal obligations. In this guide, we’ll make the key differences between a data controller and data processor as clear as possible, as well as their responsibilities and how they interact in practice.

What is a data controller?

A data controller is an organisation or individual that determines the purposes and means of processing personal data from a data subject. In practical terms, that means a data controller has the ultimate decision-making authority over the collection, use, and storage of personal data.

Responsibilities of a data controller:

Define the purpose of data collection and data processing
Establish methods for data collection, factoring in data privacy and compliance with GDPR principles
Ensure that data is stored securely, including protections against unauthorised access, data loss, alteration or disclosure. This may involve appointing a data protection officer to monitor these protections on an on-going basis.
Document an organisation’s lawful purposes for processing data.
Manage data subject rights, including handling data subject access requests, privacy notices and erasure requests.

Organisations can establish themselves as trusted data handlers by upholding these responsibilities, carefully controlling what personal data is used for and keeping it safe.

Examples of data controllers:

A retailer that collects customer information for marketing purposes.
An employer that processes employee data for payroll and HR purposes.

Not every organisation will have a separate legal entity to act as data controller, such as voluntary groups or unincorporated associations. In these cases, the person responsible for an organisation’s management on behalf of members will likely be designated as a data controller.

While an organisation may be identified as a data controller, for legal purposes the relevant individuals will be making the overall decisions.

What is a data processor?

Unlike the controller, the data processor does not decide how or why data is processed. Instead, they follow instructions set out by the controller to process data on their behalf. They act under the authority of the data controller, only carrying out what processing is required.

Responsibilities of a data processor:

Process relevant data in compliance with the documented instructions from the data controller
Follow any relevant data protection laws (GDPR)
Implement data security measures to keep all data safe. This can be at both the technical and organisational level.
Inform the data controller of any data breaches promptly.
Ensure any subcontractors or third parties adhere to the same data protection standards as the data processor itself.

As data processors assist controllers, they must hold themselves to the same standards while carrying out any actions on the controller’s behalf. By doing so, they reinforce themselves as a trusted data processor that data controllers can rely on.

Examples of data processors:

A payroll service provider processing employee salaries on behalf of a business.
A cloud storage provider hosting customer data for a company.

When a data processor exists outside of the data controller’s organisation, they may be referred to as a third-party processor. This term has the same definition as a data processor while making it clear that they’re a separate entity to the data controller.

Key differences between a data controller and a data processor

Of the distinctions between data processors and data controllers, a key one to note is that the controller carries the primary responsibility for compliance with the law.

This is because they hold a higher authority between the two. Data controllers are responsible for establishing the purpose and means for processing used by data processors. There will likely be a data processing agreement (DPA) between the controllers and processors, created by the former, that sets out the roles, responsibilities, and obligations of both parties.

For more detail on the differences, we’ve broken down each aspect of the relationship between data, controllers and processors to make the distinctions as clear as possible:

Aspect	Data Controller	Data Processor
Decision-making	Decides the purposes and means of processing.	Processes data based on the controller's instructions.
Responsabilité	Responsible for overall GDPR compliance.	Responsible for following the controller's instructions, as well as data protection laws.
Examples	Employers, retailers, healthcare providers.	Payroll providers, IT service providers, cloud hosting companies.
Compliance scope	Ensures the rights of data subjects are upheld.	Ensures data is processed securely and as instructed.

Obligations under GDPR

Data controller obligations

Drafting and maintaining data processing agreements with processors.
Ensuring transparency by providing privacy notices to data subjects.
Conducting data protection impact assessments (DPIAs) for high-risk processing activities.

Data processor obligations

Maintaining records of processing activities.
Assisting controllers in responding to data subject requests.
Complying with GDPR security requirements, such as encryption and access controls.

Joint controllers and sub-processors

Within the world of data, there are some other roles which relate to its control and processing that it’s worth being familiar with. These are variations of the main two roles, taking on similar attributes, but with some key differences.

Joint controllers

When there are two or more organisations deciding the purposes and means of data processing together, they are considered joint controllers. They share the same responsibilities, defining their roles in a transparent agreement, and outlining their decisions in tandem.

Sub-processors

A processor may engage sub-processors to assist with data processing. To do so, they must obtain prior authorisation from the controller and ensure the sub-processors also follow all the same instructions and compliance.

Common misconceptions about data processors and controllers

“A controller is always a business, and a processor is always a third-party service.”
Organisations can act as both controllers and processors. This will depend on the specific data processing activity.
“Processors have no accountability under GDPR.”
Processors still have direct obligations under GDPR. They can be held liable if their activities result in a breach of their responsibilities.
“Once a data processor is engaged, the controller has no further responsibility.”
Controllers are still accountable for ensuring compliance and monitoring the processor's activities. This means they have ultimate responsibility for both parties.

Best practices for data controllers and processors

For data controllers

As controllers are the ones outlining the means and purpose for all things data, you should clearly define the roles and responsibilities in data processing agreements from the start.

Make sure to document all aspects of your data collection, processing and security policies in detail, so that any relevant parties can understand your approach to data and ensure they comply fully with your policies.

Regularly audit your data processors to ensure their ongoing compliance with GDPR, as their breaches in compliance will also affect you.

For data processors:

You should maintain accurate records of all processing activities conducted for data controllers, in case you later need to audit all activities for their compliance against policies.

Use secure technologies to protect personal data handled on behalf of data controllers, as any breaches could result in legal action against you. Additionally, ensure all staff handling personal data are trained in GDPR compliance so you’re not violating any of the GDPR principles.

Key takeaways and wrap up

In this article, we have helped you to understand the following:

Data controllers define the purposes and means of processing, while data processors act on their instructions.
Both controllers and processors have distinct responsibilities under GDPR.
Regular audits, clear contracts, and secure practices are essential for maintaining compliance.

Data controllers vs data processors - FAQs

What is the main difference between a data controller and a data processor?

A data controller decides the purposes and means of processing personal data, while a data processor acts on behalf of the controller to carry out any processing by following their instructions.

Can an organisation be both a data controller and a data processor?

Yes, an organisation can act as both, depending on the specific processing activities. For example, a company may act as a controller for its employee data but as a processor for customer data managed on behalf of another organisation.

Who is liable for GDPR violations?

Both controllers and processors can be held liable for GDPR violations, depending on the cause of a breach. Controllers are responsible for overall compliance, while processors are accountable for fulfilling their specific obligations. Therefore, the overall liability will need to be accessed on a case by case basis.

Do processors need to comply with GDPR directly?

Yes. All processors must comply with GDPR requirements, such as maintaining data security and notifying controllers of breaches.

What legal documents are required between controllers and processors?

A data processing agreement (DPA) must outline the roles, responsibilities, and obligations of both parties, ensuring GDPR compliance.

‍

January 27, 2025

Quelle est la différence entre un contrôleur de données et un processeur de données ?