Do you act as a data processor or data controller? Or maybe both? As a company, you may well be both a data processor and a data controller. Learn more about the differences here…
The difference between data processor and data controller
As a data controller, you are responsible for deciding the purpose of the data processing and how personal data is processed and stored.
Companies can use suppliers that process personal data, for example a system that then processes the information on behalf of the company.
The data processor and data controller must enter into a data processor agreement setting out the rules and circumstances of the processing.
Checklist for data processors:
- Remember a clear data processor agreement with the data controller
- The personal data may not be used for any purpose other than the task that you perform for the data controller
- When the assignment or underlying commercial agreement is terminated, the personal data must be deleted or returned to the data controller
- As a data processor, you must help the data controller to fulfill his obligations under the GDPR
- You must provide documentation for compliance with the GDPR, which can be reviewed
To-do list if you are a data controller and use data processors:
- You must ensure that you have a legal basis for treatment – read more here
- You must have a written, complete and legal data processing agreement
- You must supervise all data processors and sub-processors – typically every year
To control data processors and sub-processors, you must either:
- Physical supervision of data processor and sub-processor
- Request a Processor and Sub-Processor Statement stating that the GDPR and the Processor Agreement are complied with
- Maintain control and oversight of data collection from data processor and sub-processor
Read more about MediaConsent here.