Date: July 09, 2020
Modified November 14, 2023
Written by: Valerie Lipman
Reading time: +/- 2 minutes
When personal data is processed, it is (usually) subject to the General Data Protection Regulation (AVG). In order to know what obligations this leads to, it is important, among other things, to determine whether one is acting as a processor or as a controller. These are two terms from the AVG that quite often lead to confusion. One consequence is that processor agreements are entered into that are unnecessary and incorrect. But what exactly is the difference between a processor and data controller?
The controller is the one who determines for what purpose personal data are processed and by what means the processing takes place. In other words, it is the one who determines exactly what happens.
The controller may engage another party to process personal data on its behalf. In that case, that other party is processor. Being a processor only exists if that party has no, or only minimal, control over the processing. If there is discretion to carry out the order to process personal data, the requirements to be considered a processor are not met.
To answer the question of whether someone should be considered a data controller or processor, it is helpful to determine why the data processing is taking place and who initiated it.
An example of a processor is an ICT company that is engaged for an e-mail campaign already fully thought out by the principal. At least, if this ICT company does little more than send emails drafted by the client (the processor), to contacts named by the client, in the period specified by the client.
If the same ICT company is commissioned to set up a successful advertising campaign and the ICT company uses e-mail on its own initiative, there is no question of being a processor. In the latter situation the ICT-company has to be regarded as a processor. In that case, the assignment to the ICT company is not so much about processing personal data as a goal in itself, but much more about generating awareness.
Another example is a security company that installs and maintains surveillance cameras and gives its customers access to the images via its website (this involves processing personal data if persons are visible on them). The security company is considered a processor if the customers themselves determine: where the cameras are hung; how and where the images are stored; how long the images are kept; who has access to them; et cetera.
When that same security company is commissioned to secure premises, possibly through the use of security cameras, a completely different situation suddenly arises. In that case, the security company is a data controller, now that the security company itself decides how to deploy the cameras. The task in that case has also changed from processing personal data to securing premises, where processing personal data is no longer the primary task.
When processing personal data, several parties may qualify as data controllers. If they jointly determine the purpose and means for which personal data are processed, they are joint controllers. The latter ensures that they have to make agreements on how they comply with their obligations under the AVG, especially as regards providing information to those whose personal data are being processed.
If there is a controller who engages a processor, different arrangements must be made. In that case a processor agreement must be concluded, which, among other things, ensures that the processor secures the personal data properly and processes them only on the basis of the instructions given by the controller.
If, even after reading this blog, you are not sure whether you are a data controller or processor, or have other questions about privacy, please contact one of our privacy attorneys.
As attorneys for business owners , we understand the importance of staying ahead. Together with us, you will have all the opportunities and risks in sight. Feel free to contact us and get personalized information about our services.