What is a data controller?

A data controller is an entity that has sole discretion over how a person’s data is handled and processed. A data controller establishes the purposes and means for how the personal data is used. There are many more legal responsibilities and obligations for a data controller than a data processor.

How do I know if I’m a data controller?

  • If you answer yes to any of these questions, it’s likely that you’re a
    data controller.
  • Did your organization decide to collect and process the personal
    user data?
  • Did your organization determine the purpose of the data processing activity?
  • Do you have a direct connection with the data subjects?
  • Are you solely in charge of how the data is processed?
  • Did your organization decide what kind of personal data should
    be collected?
  • Will your organization commercially benefit from processing the data
    (not including payment for handling the data)?
  • Are you exercising professional judgment when processing
    personal data?
  • Have you outsourced the processing of the personal data to vendors? And if so, do you direct the vendors?

What is a data processor?

A data processor is an entity that processes personal data on behalf of the data controller. A data processor does not decide the purposes or the means of how the data is processed. A data processor simply handles the data in the manner outlined by a data controller. There are fewer responsibilities and obligations for a data processor than a data controller.

How do I know if I’m a data processor?

If you process personal data but answered no to all of the questions above, it’s most likely that you’re a data processor.

Can you be both a data controller and a data processor?

In some instances, yes. A business or entity can be considered a data controller with respect to some information and a data processor with respect to other information.

For example, consider a vendor that sends out mass emails on behalf of its clients, but does not use the information about the recipients for any purpose of its own. That vendor is likely a processor of the recipients’ personal data on behalf of its clients, the controllers. However, if the vendor also tracks visitors to its webpage and targets ads toward them, it is likely a controller of the personal data of its own website visitors because it decides how to collect and use that data.

What legal obligations does a data controller have compared to a data processor?

Various privacy laws, including the CCPA/CPRA in California and the GDPR in the EU, outline what steps a data controller must take in order to comply with the laws. Generally speaking, privacy laws have recognized that data controllers have more legal obligations and responsibilities than a data processor because controllers are the decision-makers when it comes to how the data is processed.

For example, a controller generally needs to provide notice to the people whose personal data it uses, and grant them certain rights, such as accessing a copy of their data or deleting it. Once you’ve established whether you’re a data controller or data processor, SixFifty can help get you up to speed on what steps to take in order to become legally compliant to respective privacy laws, both within the US and abroad.

SixFifty can help

Data privacy is complicated. Fortunately, SixFifty can ease the burden of building a robust privacy program for your company. SixFifty’s privacy solutions help organizations determine how to best handle data and generate customized legal documents as required by privacy laws around the world, including the five new state privacy laws effective in the US in 2023.