Data controllers and data processors
A data controller or a data processor may be a natural or legal person, public authority, agency or other body.
The General Data Protection Regulation defines special obligations for those who process personal data. Something new in the regulation is that many of the obligations that previously applied to the data controller now also apply to the data processor.
Anyone who processes personal data must ensure that the processing is carried out in accordance with all the provisions of the General Data Protection Regulation. Note in particular that the provisions of the General Data Protection Regulation concerning the data subjects' rights also mean obligations on the part of the person or entity processing the personal data.
A data controller is the organisation (for example a limited company, foundation, association or authority) that determines for what purposes the personal data is processed and how it is processed. It is thus not the manager at a workplace or an employee who is the data controller. A natural person can also be a data controller, as is the case for example with sole proprietorships.
Where two or more controllers jointly determine the purposes and means of processing, they are joint controllers and must decide together their respective responsibilities for compliance with the different obligations under this General Data Protection Regulation.
Who the data controller is can also be stated by law or ordinance, for example in special register laws.
A data controller can transfer the actual processing of personal data but never the responsibility for the personal data.
A data controller must ensure that the processing is carried out in accordance with all the provisions of the General Data Protection Regulation. The controller's personnel may only process personal data in accordance with the instructions issued by the controller.
The controller has a general responsibility to, on the basis of the integrity risks that exist in conjunction with the processing, take appropriate technical and organisational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the General Data Protection Regulation. This may involve adopting a policy with appropriate data protection strategies and ensuring that it is implemented in the organisation. Codes of conduct and various kinds of certification may be a way to demonstrate compliance with the General Data Protection Regulation's provisions.
A data processor is an entity that processes personal data on behalf of a data controller. A data processor is never part of the data controller's organisation. A data processor may be a natural or legal person, public authority, agency or other body.
The data processors that the data controller engages must be able to provide sufficient guarantees that the processing complies with the requirements of the General Data Protection Regulation and ensure that the data subjects' rights are protected.
A processor and its personnel may only process personal data in accordance with the instructions issued by the controller. The processor may not engage another processor without first obtaining the controller's written permission.
Something new in the regulation is that some of the obligations that previously applied to the data controller now also apply to the data processor, for example the requirements to maintain a processing record, ensure an appropriate level of security, and in certain cases designate a data protection officer.
The data processor can also be subjected to supervision or administrative sanctions and be liable for damages. The data controller and the data processor must draw up a so-called data processor agreement. The General Data Protection Regulation lists what such a data processor agreement is to contain.
About the information on this page
If the information in English is different from the Swedish version of this page, the Swedish version applies.