A GUIDE TO CONTROLLER-PROCESSOR CONTRACTS
The GDPR sets out strict requirements for when an organisation decides to utilise the services of another company to process personal data. The most important aspect to establish first is whether you are both acting as controllers of the personal data being processed or whether the service provider is purely acting as a processor, acting at all times under instruction of the controller.
What is a controller?
A controller is person, or more commonly an organisation, which controls the ‘means and purposes of processing’. The controller makes the decisions about how this personal data is collected, used, stored, transferred, kept secure, destroyed etc. and among other matters is responsible for fulfilling individual rights requests, such as Subject Access Requests.
What is a processor?
To be recognised as a processor, a person or organisation, must processes personal data on behalf of a controller and not use this data for their own purposes. For example, a processor may be an external company utilised to provide payroll, printing, marketing or website services.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.