It’s a common belief that our personal data is in the hands of just one company. Indeed, when we buy a product, whether physically or online, we leave our data with the brand in question… At least that is what most people think.
But the reality is that your personal data (which is already collected by the organisation selling you a good) can also be given to other entities. Obviously, your consent is required for your data to be processed by other companies. In the case where you allow more than one company to handle your personal information, be aware that there are three roles assigned: The controller, the joint controller and the processor.
Before going into the specifics of each role, it is important to note that only the company itself (and not an individual within the organisation) has the right to process individuals’ data. This means that a CEO, a board member or an employee does not have the right to process customer information for personal use.
The roles and their features
Controllers have the highest level of responsibility for compliance. Indeed, they must comply and be able to demonstrate compliance with all the data protection and other requirements of the GDPR. This role belongs to the main entity that sells you a product. This means that the controller must inform you of the purposes and means of the processing of your personal data. They are also responsible for the compliance of their processor(s).
The joint controller
There can be one controller as well as several. Indeed, an entity is designated as a joint controller if it and the main controller together determine the purposes and means of processing the same personal data.
The processor does not have the same level of responsibility for compliance as the controllers. Indeed, the processor should not process the data differently from the controller’s instructions. But they are responsible for certain aspects of compliance in their own right, such as security, liability and data breach notification.
If a data processor goes beyond the controller’s directions and starts to determine its own purposes and means of processing, it may be subject to sanctions for non-compliance with the GDPR law.
The relationship between the roles
Once the relationship is established between the controller, the joint controller(s) and/or the processor, they must all ensure that they understand their respective duties under the data protection law and take into account the particular circumstances and requirements of each type of relationship.
For example, a relationship with a processor requires a written contract between the processor and the controller. On the other hand, a joint controller relationship does not require a contract but does require a transparency agreement that sets out their agreed roles and responsibilities to comply with the GDPR law.
Example of a case
Is Google a data controller or processor? As a business or organisation you control personal data and Google processes the data (on your behalf). Therefore, you are the data controller and Google the data processor.