Controllers and processors

Whether you are a controller or processor depends on a number of issues. The key question is – who determines the purposes for which the data are processed and the means of processing?

Regardless of how organisations describe themselves in any contract about processing services, it will be a matter of fact as to whether an organisation is a controller, i.e. whether it determines the purposes and means of processing.

Can you be both a controller and a processor of personal data?

Yes. If you are a processor that provides services to other controllers, you are very likely to be a controller for some personal data and a processor for other personal data. For example, you will have your own employees so you will be a controller regarding your employees’ personal data. However, you cannot be both a controller and a processor for the same processing activity.

In some cases, you could be a controller and a processor of the same personal data – but only if you are processing it for different purposes. You may be processing some personal data as a processor for the controller’s purposes and only on its instruction, but also process that same personal data for your own separate purposes.

In particular, if you are a processor, you should remember that as soon as you process personal data outside your controller’s instructions, you will be acting as a controller in your own right for that element of your processing.

If you are acting as both a controller and processor, you must ensure your systems and procedures distinguish between the personal data you are processing in your capacity as controller and what you process as a processor on another controller’s behalf. If some of the data is the same, your systems must be able to distinguish between these two capacities, and allow you to apply different processes and measures to each. If you cannot do this, you are likely to be considered a joint controller rather than a processor for the data you process on your client’s behalf.