What am I? A controller or a processor?

What am I? A controller or a processor?

Every organisation which has employees, is a controller to their employees. The factor which determines that the organisation is controller is that it decides on the purpose for employment, and why/how this is done. 

However, a controller to their employees, can be a processor to their customers, e.g. take a cloud service which your business maybe using, such as Dropbox, Office365, etc., which your employees use to be productive. This cloud service provider is a processor to your organisation, but that does not stop them being a controller to their own employees. In this example they are both controller (to their employees) and processor (to their customers).

All public authorities are controllers to their citizens, and every citizen cannot avoid using public services. The hospitals are controllers to our health data and and schools to children's data.

Every controller is also a processor, after all it is impossible to collect personal data without using that data one way or another, even if the controller engages a processor to collect the data, or to process the data, e.g. call-centres. The reason being is that it is the controller which decides that personal data must be collected and why. The processor must do exactly what the controller says and this is done using a legal document called a Data Processing Agreements (DPAs).
    • Related Articles

    • Which party is liable?

      Making GDPR compliance easy with Privasee · Who is accountable? Are you a controller or a processor? Which party is liable? Who is the controller and who is the processor? The controller is liable for not selecting their processor with care; and ...
    • How can we be a joint-controller?

      If 2 or more controllers have a say in the purpose and means on the processing of personal data they are potentially joint controllers.   If there is a case of a joint controller situation then it needs to be clear in a contract between the ...
    • What does it mean that we have 72 hours to report a breach?

      When you are data controllerFrom the moment a personal data breach has been confirmed, your organisation has 72 hours to decide (and report) if it presents a high risk of harm to the rights and freedoms of an individual and if so it must be reported ...
    • What is pseudonymised data?

      Pseudonymised data is reversible. Normally what entails is that a name could be replaced with a unique ID, and maybe there's a table somewhere to enable the processor to be able to reverse back again. Now pseudonymised data is still personal data ...
    • What makes consent legal?

      Making GDPR compliance easy with Privasee · What is consent? What makes consent legal under GDPR? In order for consent to be legal it must be:  informed consent that is data subject must know what they are consenting to. It must be freely-given in ...