Data Controller, Data Processor, Data Subject. What is the Difference?
We have discussed at length the rights of data subjects and responsibilities of data controllers. We now shift our focus to another key player in the data protection ecosystem; the data processor. But first, let us unpack the key differences between each of these players.
1. Data Controller
A data controller is the entity or person that determines the purposes and means of processing personal data. In simpler terms, it is the decision-maker. For example, an insurance company that collects personal data to provide coverage or process claims acts as the data controller. The controller is responsible for ensuring that data is processed in accordance with the law, meaning they must comply with principles such as lawfulness, fairness, and transparency.
In an earlier article, we dealt with the responsibilities of data controllers. Read more here:
2. Data Subject
A data subject is an individual whose personal data is being collected, held, or processed. The Botswana Data Protection Bill focuses heavily on safeguarding the rights of the data subject. These individuals hold key rights under the bill which we previously covered. Read more here:
3. Data Processor
A data processor is a separate entity or individual that processes personal data on behalf of the data controller. While the controller makes the decisions, the processor executes those decisions by handling the data as instructed.
领英推荐
For example, imagine a hospital that uses a third-party company to manage its electronic patient records. Here, the hospital is the data controller because it collects patient data and determines how and why this data should be processed. The hospital decides what data to collect, such as medical history, treatment records, and contact information.
The third-party company that the hospital hires to store, manage, and organize these electronic patient records is the data processor. This company does not decide the purpose of the data processing; it simply processes the data according to the hospital's instructions. It might store the data on its servers, maintain the electronic record system, and ensure the security of the data.
The patients themselves are the data subjects, whose personal medical information is being collected and processed by both the hospital and the third-party company.
Though the processor does not determine the purpose of data processing, they are still subject to compliance obligations under the law which we will look deeper into next week.
Article by Princess Musa Dube?
If you have interest in an in-depth discussion on this subject matter or any Data Protection related issues, feel free to contact us at:
[email protected] Tel: 3116371
Disclaimer: This article is for information purposes only and should not be taken as legal advice.