Controller, joint controller and processor

Regulation (EU) 2016/679 of the European Parliament and of the Council, also known as the General Data Protection Regulation, or GDPR, provides definitions of several entities actively involved in the processing of personal data. Below we explain when an entrepreneur will be considered a controller, a joint controller, and a processor under the GDPR.

Controller

As defined in the GDPR, a controller is a body which determines the purposes and means of the processing of personal data in its possession. 

A controller may be:

1. a natural person;
2. a legal person (e.g. a limited liability company);
3. a public authority (e.g. a municipal office);
4. an agency or another entity (e.g. a general partnership).

Therefore, it is the entity itself, for example a commercial law company, that is the controller of personal data, and not its representative bodies (e.g. a company’s management board).

Neither the GDPR nor any other legal act specifies the exact meaning of the phrase “to determine the purposes and means of the processing of personal data”. Consequently, whether an entity is a controller depends on its specific situation. In simple words, a controller is a person (or another entity) deciding on the purposes and means of the processing of personal data. 

Accordingly, entities that could be considered controllers may include, for example:

1. an entrepreneur that holds personal data of its customers;
2. a commercial law company that holds personal data of its employees;
3. an association that holds data about its members, etc.

Main obligations of a data controller

The primary responsibilities of a personal data controller include:

1. implementing relevant technical and organisational measures to process personal data held by it in accordance with the GDPR;
2. implementing appropriate technical and organisational measures to establish the necessary safeguards to protect personal data;
3. appointing a personal data protection officer; 
4. exercising data subjects’ rights, upon request;
5. maintaining a record of processing activities;
6. conducting a personal data breach risk analysis;
7. cooperating with the supervisory authority – President of the Personal Data Protection Office, which includes notifying it of any breach of personal data.

Joint controller

A joint controller is an entity that determines the purposes and means of personal data processing jointly with another entity (or other entities). For example, joint controllers could be partners in a civil law partnership acting jointly within the framework of the partnership they have established.

Joint controllers determine their respective responsibilities for compliance with the obligations under the GDPR.

Processor

A processor is a natural or legal person, public authority or another body which processes personal data on behalf of the controller (e.g. an external provider of accounting services to a business).
Under the GDPR, a controller may only use processors providing sufficient guarantees to implement appropriate technical and organisational measures to ensure the protection of the personal data processed by them.

Processing of personal data by a processor is governed by a contract concluded between the processor and the controller or by another legal act under Union or Member State law (including the legal provisions applicable in the Republic of Poland).

Main obligations of a processor

Most notably, a processor:

1. processes the personal data only on documented instructions from the controller;
2. ensures that persons authorised to process the personal data have committed themselves to confidentiality;
3. assists the controller in ensuring compliance with its obligations under the GDPR;
4. maintains a record of the categories of processing activities carried out on behalf of the controller.

Summary

To conclude, a controller and joint controllers are the main entities that process personal data in their possession within the framework of the established purposes and means of their processing. They are also the entities which bear full responsibility for the data they collect, possess, and otherwise process in the course of their business or professional activity. 

The situation of processors is different as they are not independent entities when it comes to the processing of personal data entrusted to them. They are liable to controllers for every action performed on the personal data, which makes such entities dependent on the controller’s instructions.

Back to GDPR lawyer