How & Why: Data Controllers & Data Processors
At this point, you should understand the mechanics of personal data under the intricacies of GDPR. If not, you can find my brief outline at the following link: (Personal Data.) A common issue faced by practitioners is the concept of Data Processing and the roles of Data Controllers & Data Processors – specifically their responsibilities & purpose. Below, I will shed some light on each aspect.
When is data “processed?”
To begin with, GDPR is only concerned with personal data and how it is being processed. The Regulations define processing under Article 4(2) as follows:
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
This is an exceedingly broad definition and encompasses almost every conceivable activity possible. This was the intention of those drafting the GDPR, and in doing so, provides significant protection to data subjects. Remember, should you carry out any of the above activities on personal data, said activity will be considered processing.
Data Controller: the importance of “why” & “how”
Data Controller is defined under Article 4(7) as the following:
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
Clearly, both companies and individual people can be considered as data controllers. The crux is whether or not such a person or company makes the decision on why the information is being processed or the manner in which it is processed - why & how. If they determine both, then they are the data controller.
It is also worth noting that there can be numerous data controllers in one scenario. These would be joint data controllers. An example; Hospital A and Hospital B are collaborating on a clinical trial to evaluate the effectiveness of a new drug for a specific medical condition. Both hospitals actively contribute to the study by recruiting participants, conducting medical examinations, and collecting various health data. The trial involves sharing and processing personal data of the participants, such as medical history, test results, and other relevant information. As both hospitals share the responsibility for determining the purposes and means of processing personal data, they would be considered joint data controllers.
领英推荐
Data Processor
Finally, a data processor is defined under Article 4(8) as the following:
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
As their title clearly indicates, such parties are only responsible for the processing (defined above) of personal data. They do not have any role in determining how or why such personal information is being processed.
An example; Hospital A is the data controller, overseeing the clinical trial to evaluate the effectiveness of a new drug for a specific medical condition. Hospital B, a specialized laboratory, acts as a data processor, providing services related to the processing and analysis of the data generated during the trial.
Always remember:
In various data-sharing contexts, it's important to note that the designation of a data controller or data processor often lies with the institution, such as a hospital, rather than individual researchers, consultants, or practitioners. Whether in healthcare, business, or other fields, understanding this distinction is essential when engaging with data-sharing organisations.
While individuals may lead specific data-related initiatives, the overarching responsibility for compliance with data protection regulations and ethical data management practices falls on the entity overseeing the operations, such as a hospital or organisation. Recognising the institutional role of the data controller or processor underscores the collective accountability for protecting privacy, ensuring ethical data use, protecting data subjects' personal data and adhering to legal requirements in any collaborative data-sharing endeavour.
In conclusion
It may help to imagine processing as an activity, with Data Controllers and Data Processors being roles or functions around it. Think of data processing like a musical concert; the Data Controller is the conductor, directing the overall performance, while the Data Processors are the musicians, each playing their part under the conductor's guidance.