A data controller refers to an organization, institution, or individual that sets the standards for personal data processing (Article 24). In practice, that means that a data controller is responsible for determining how and why data is going to be used by an organization. Most often, a data controller is a person or organization that actually gathers data and then dictates how it will be used.
This is in contrast to a data processor. According to GDPR, a data processor is an organization, institution, or individual that implements the standards for data processing established by the data controller (Article 28). Typically, although not exclusively, a data processor is a third party that processes data at the direction and discretion of a data controller. A data processor does not own any of the data they process and are not in control of it. This means that a data processor can not change the meaning of the data, direct how the data is used, and are bound by the instructions
While data controllers and data processors each perform different functions, there are two important things to note: 1) One organization can be both a data processor and a data controller. They are not mutually exclusive 2) Both a data controller and a data processor are obligated to comply with all components of GDPR.
For more context into the Regulation and how it impacts your business, read our GDPR Guide.
