GDPR: Data Controller and Data Processor

The General Data Protection Regulation ("GDPR") entered into force in May 2016 and has been applied since May of 2018 so, basically, it's been around for almost four years now.

And yet, the same question pops up over and over again: “What's the main difference between the Data Controller and the Data Processor”?

Well, long story short: the Data Controller does something – actually, three things – that the Processor does not – and can not do – which is determining the why, the what and the how of the processing of personal data.

This difference is made clear by the very definitions provided by article 4 of the GDPR.

In fact, whereas the Controller is “the person, the legal person or the Authority which determines the purposes and means of the processing”, a Processor is needed “when the processing is to be carried out on behalf of” the Controller.

Here's the take home message: if a processing is carried out, there can be a Controller without a Processor – not the other way round.

–

We can help you comply with current law including GDPR and advise each time the law changes.

In this highly technical area we offer a pragmatic, solutions-focused and efficient approach.

Prevention is better than cure.