Who is the data controller and who is the data processor?
The short answer is that a data controller is the one who decides what information should be collected and what to use them for. The data processor is the person handling the personal information on instruction from the data controller.
If company P conducts polls on instructions from other companies and does not use the data collected himself, then P will be the data processor.
Shared data responsibility or both data processor and data controller
Just because you are a data processor or data controller in one context, doesn't mean, you always will be the one, you can even be both data processor or data controller at the same time.
Using the example given above: If P used the information they collect on behalf of another company (F) for their own purposes, then P will be the data processor for the information they process and transfer to F, but data controller for the information they use for their own purposes.
If P and F have agreed that they can both use the information from the poll for their own purpose, they will, on the other hand, be shared data controller.
Why is it important?
There are two main reasons why there is a need for a clear distinction between who is who.
- Data Processors may only process the data they are provided by the data controller with the means and to the extent the data controller has allowed and the data processor may not use the information it has been given, for it's own goals.
- If it isn't clear who is who, then both will be considered as data controllers.
It is the data controller who is responsible for the data processed. That is why the data controller will be subjected to fines if the GDPR rules are violated. Therefore, if you managing information that you really have no interest in, you would prefer not to be considered as the data controller.
The clear distinction is achieved through a data processing agreement, which can be generated through our GDPR wizard in ComplyTo GDPR.