It’s one of those things that people struggle with. Am I a Data Controller or Data Processor?

Let’s talk through what each one is and the role that they play.

Data Controller
The Data Controller decides how information is collected, used, stored and destroyed. Effectively they are in charge of the personal information that they are collecting. They are responsible for informing the individual, via privacy information, how the information will be used, shared, stored and retained.

Data Processor
The Data Processor works on behalf of the Data Controller. They do as they are instructed and need to meet guidelines for security, retention and destruction. Often the individuals interacting with the Data Controller will be unaware of the Data Processor’s identity.

In practice
Think Amazon and their delivery partners. Amazon is the Data Controller deciding the information that is collected and their delivery partner has the information needed to provide the delivery service. If the delivery is late or the package damaged you speak to Amazon about it, not the delivery partner.

You probably work with a lot of data processors, that you never think about. For example, we use SendInBlue to send our newsletters, they are a data processor working on our behalf to provide delivery services. When you make payment for something from our training and document platform, we have a payment provider who is a data processor. When you provide a video conferencing meeting facility, you are using a data processor for that function. Companies which have outsourced any services such as IT, HR, Payroll, or who have freelancers or contractors will be creating a data processor relationship with those companies providing the support if they have access to personal information.