Controller and processor

Organisations often engage other organisations to process personal data for them. For example, by outsourcing the accounts. Or by using a cloud service that stores personal data. The organisation that engages another organisation is the controller. And the other organisation, that only factually performs the processing operations in accordance with the instructions provided by the controller, is called a processor.

In practice, it may sometimes be difficult to determine whether you are a controller or a processor. On this page, you can read how to deal with this. Here you can also read about the responsibilities of the controller and the processor.

On this page

Controller or processor?

The General Data Protection Regulation (GDPR) sets different requirements for controllers and processors. That is why it is important to make this distinction.

Controller
 

As an organisation, you are a controller if 1 of the following 3 situations applies:

  1. Your organisation decides that certain personal data are processed, for which purpose this is done, and how this is done. The other party has to follow your instructions. The relationship of authority may be evident, for example, from the written arrangements you have made. For example, in the processing agreement.
  2. The law explicitly states that your (type of) organisation is permitted or obliged to process certain personal data. In that case, you have explicit legal authority.
  3. The law does not say explicitly that you are permitted or obliged to process certain personal data. But it is obvious that you have to do this. Here you can think of employers that process personal data of their employees. Or associations that process the data of their members. In that case, you have implicit authority.

Processor

You are a processor if you process personal data on the instructions of another organisation. You do not use these personal data for purposes of your own, you only factually perform the processing operations. Because you do not make the important decisions, you do not bear the responsibility.

Do you also process personal data outside the instructions from the other organisation? Or do you process the personal data for purposes of your own? Then you do make important decisions and therefore you are, as a service provider, yourself the controller for those processing operations. It goes without saying that you will also have to meet the requirements that apply for controllers in that case.

If you are a processor, you have to comply fully with the instructions provided by the organisation that has instructed you to process personal data. But that is not the same as being directly subjected to the authority of the controller.

You work, for example, under direct authority if you have been seconded to another organisation. In that case, there is internal management within the controller's organisation. As a secondee, you are not a processor.

Multiple controllers

If you provide personal data to another organisation, this does not automatically mean that this other organisation is your processor. You could also both be controllers, even if it concerns the same personal data. In this case, both you and the receiving organisation will need a legal basis of your own.

The answer to the question of when the other organisation is not a processor but a controller depends on which party has the factual influence on the purpose and means of processing. Or, in other words: who decides for what purpose the personal data are processed and how this is done?

The other organisation will also be a controller if it:

  • uses the personal data provided by you for its own purposes, determined by that organisation itself;
  • only determines the means of processing, but these are essential aspects.

Is the organisation to which you provide data not a processor, but a controller? Then you do not have to conclude a processing agreement with this organisation.

It also means that this organisation will have to determine for itself whether the processing operations meet all requirements from the GDPR. For example, if there is a valid legal basis for processing of the personal data.

You can use the following tools:

Example list: ‘Who is the processor and who is the controller here’?

EDPB guidelines on the concepts of controller and processor in the GDPR

Joint controllers

Do you work together with one or more other organisations? And do you determine the purposes and means of a certain processing activity together? Then you are joint controllers.

All organisations are responsible for the joint processing and also require a valid legal basis ‘of their own’.

You have to make proper arrangements in joint consultation about who factually ensures that the requirements of the GDPR are met. Participating organisations cannot hide behind each other, because each participating organisation can be held accountable by data subjects.

Obligations of the controller
 

As a controller, you remain responsible for the processing operations that are outsourced by you. After all, your customers, patients or citizens have entrusted their personal data to your organisation. It is therefore logical that you are not allowed to share their personal data with a random organisation without a reason.

In addition, your processor also has a number of responsibilities. The processor also has to meet the requirements of certain rules from the GDPR.

Requirements for outsourcing processing operations to a processor

Do you, as a controller, want to outsource a processing to a processor? Then you have to meet a number of specific requirements from the GDPR. These are, among others:

Reliability

You have to select a reliable processor that meets the rules of the GDPR. You must be, for example, sufficiently certain that the processer takes appropriate measures to secure the personal data.

Processing agreement
 

You have to conclude a processing agreement with your processor. In that agreement, you make arrangements about the exact processing assignment, among other things. And about what the processor is and is not allowed to do with the personal data provided.

Privacy rights
 

It is your responsibility to ensure that people can exercise their privacy rights. Even if it concerns processing operations outsourced by you. In the processing agreement, you record the working arrangements that you make about this with the processor.

Data breaches

Does your processor have a data breach involving personal data that the processor processes on your instructions? Then, under the GDPR, the processor is obliged to inform you about the data breach as soon as possible.

Does it concern a data breach that must be reported to the Dutch Data Protection Authority (Dutch DPA) and the victims? Then it is your responsibility to report that in a timely manner. A processor may only report data breaches to the Dutch DPA if you have authorised the processor to do so.

Make arrangements in the processing agreement to streamline the process for reporting data breaches. For example, to whom at your organisation the processor has to make a call in the case of a data breach, and in what manner and how often the processor keeps you up to date on the state of affairs concerning the data breach.

Other requirements

Finally, it goes without saying that you, as a controller, also have to meet all other rules from the GDPR.

Obligations of the processor
 

The controller remains responsible for the processing outsourced to you. But as a processor, you also have a number of responsibilities of your own. Both the controller and you are obliged to meet certain rules from the GDPR.

This is also what clients may expect from you. Besides, you stand out positively if you show that you know the rules from the GDPR and comply with them.

As a processor, you have a number of specific obligations under the GDPR:

  • You have to comply fully with the instructions received from the controller for processing of the personal data unless these instructions are contrary to the law. Do you not follow the instructions from the controller? Then the GDPR does not regard you as a processor, but as a controller with the respective obligations. Note: because you will not often have a legal basis for those processing operations yourself, you will be in breach of the GDPR quite easily.
  • You must have a processing agreement. With this agreement, you can demonstrate that you are allowed to process personal data and in what manner. You can then rely on the legal basis of the controller.
  • You have to secure the personal data appropriately.
  • You are only permitted to outsource personal data to subprocessors if you have obtained written permission from the controller for this purpose. The subprocessor must offer at least the same level of data protection.
  • Do you have a data breach involving the personal data that you process on the instructions of another organisation? Then it is your duty to inform the controller as soon as possible. This is because the controller is obliged to report certain data breaches to the Dutch Data Protection Authority within 72 hours. Sometimes, a controller is also obliged to inform the victims.
  • You have a duty of accountability. Depending on the size of your organisation, you have to appoint a Data Protection Officer (DPO), for example, or keep a processing register.