Data controllers and data processors
A data controller or a data processor may be a natural or legal person, public authority, agency or other body.
The General Data Protection Regulation defines special obligations for those who process personal data. Many of the obligations that apply to the data controller also apply to the data processor.
Anyone who processes personal data must ensure that the processing is carried out in accordance with all the provisions of the General Data Protection Regulation. Note in particular that the provisions of the General Data Protection Regulation concerning the data subjects' rights also mean obligations on the part of the person or entity processing the personal data.
A data controller is the organisation (for example a limited company, foundation, association or authority) that determines for what purposes the personal data is processed and how it is processed. It is not the manager at a workplace or an employee who is the data controller. However, a natural person can also be a data controller, for example in cases of sole proprietorships.
Where two or more controllers jointly determine the purposes and means of the processing, they are joint controllers and must decide together their respective responsibilities for compliance with the different obligations under this General Data Protection Regulation.
Who the data controller is can also be stated by law or ordinance, for example in specific register laws.
A data controller can outsource the actual processing of personal data but never the responsibility for the processing of personal data.
A data controller must ensure that the processing is carried out in accordance with all the provisions of the General Data Protection Regulation. The controller's staff may only process personal data in accordance with the instructions issued by the controller.
Based on the privacy risks that exist in connection with the processing, the controller has a general responsibility to take appropriate technical and organisational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the General Data Protection Regulation. This may involve adopting a policy with appropriate data protection strategies and ensuring that it is implemented in the organisation. Codes of conduct and various kinds of certification may be a way to demonstrate compliance with the General Data Protection Regulation's provisions.
A data processor is an entity that processes personal data on behalf of a data controller. A data processor is never part of the data controller's organisation. A data processor may be a natural or legal person, public authority, agency or other body.
The data processor that the data controller engages must be able to provide sufficient guarantees that the processing complies with the requirements of the General Data Protection Regulation and ensure that the data subjects' rights are protected.
A processor and its staff may only process personal data in accordance with the instructions issued by the controller. The processor may not engage another processor without first obtaining the controller's written permission.
Some of the obligations that apply to the data controller also apply to the data processor, for example the requirements to maintain a processing record, ensure an appropriate level of security, and in certain cases designate a data protection officer.
The data processor can also be subjected to supervision or administrative sanctions and be liable for damages. The data controller and the data processor must enter into a data processor agreement. The General Data Protection Regulation lists what such a data processor agreement must include.
About the information on this page
If the information in English is different from the Swedish version of this page, the Swedish version applies.