Data Processor and Data Controller – which are you?

To clarify the definitions as related by the Official Journal of the European Union:

Data Recipient

A Data Recipient is a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not.

Data Controller (DC)

A Data Controller is a natural or legal person, public authority, agency or another body that determines the purposes and means of the processing of personal data.


Data Processor (DP)

A Data Processor is a natural or legal person, public authority, agency or another body that processes personal data on behalf of the controller.

The roles and obligations of both the Data Controller and Data Processor are included in my comprehensive Guide to GDPR for the Small Business Owner.

Processing is “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

If a second Data Processor is engaged by the Data Processor to carry out specific processing activities on behalf of the controller, the same legal obligations apply. If the second processor fails to fulfil its obligations, the first processor remains fully liable.

This is significant for any processors working with clients, associates, or support professionals: Coaches, Consultants, OBMs, VAs, Trainers, Web Professionals, Copywriters – the list is endless.

Both controllers and processors have responsibilities and obligations under the GDPR.

If you would like further in-depth information on the GDPR please feel free to download my comprehensive Guide to GDPR. You will also receive limited follow-up support and gain access to a DATA AUDIT WORKBOOK, a CONSENT CHECKLIST and a GDPR CHECKLIST.

Next up is GDPR Part 5 – Your Online Business
Previous – GDPR Part 3 – Your Personal Rights


Please note: The GDPR series of articles on this blog do not promise to be either a full synopsis or full interpretation of the GDPR. Indeed I have simply taken the most important aspects of the GDPR I feel are relevant to the small business owner. Everything you read online about the GDPR will be some kind of an interpretation, synopsis or summary of the GDPR. Unless, of course, you read the full text in itself.

Pin It on Pinterest