Cyprus: What Is The "Controller"and What Is The "Processor" Under The GDPR

Introduction

The GDPR imposes to the Controllers new data protection obligations. Further, in a change from previous legislation, processors have new statutory obligations in their own right under the new Regulation.

But what is a "controller" or a "processor"?</>h3

Controller

According to Article 4 of the GDPR controller means:

"the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data"

Simply stated , controllers are the main decision makers, the ones who exercise overall control over the purposes and means of the processing of the personal data, regardless of whether they directly collect the data from the data subjects.

If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.

Processor

According to Article 4 of the GDPR processor means:

"the natural or legal person, public authority, agency or other body whichprocesses personal data on behalf of the controller".

Processors act on behalf and only on the instructions of, the relevant controller.

The duties of the Controllers.

Controllers have the highest level of compliance responsibility. Specifically, controllers must not only comply with, but also to demonstrate compliance with, all the data protection principles and requirements that GDPR imposes.

Controllers are also responsible for the compliance of their processor(s), if any.

Joint controllers must arrange between themselves who will take primary responsibility for complying with the GDPR obligations, and in particular transparency obligations and data subject's rights. However, all joint controllers remain responsible for compliance with the controller's obligations under the GDPR.

The duties of Processors.

GDPR imposes a number of direct obligations to the processors .

Supervisory authorities of the relevant Member State and individuals may take actions against a processor regarding a breach of those obligations.

Practical Uses.

To determine whether you as individual or your organisation is a controller or a processor, you will need to consider your role and responsibilities in relation to your activities.

If you or your organisation exercise overall control of the purpose and means of the processing of the personal data, then you are considered as a controller.

But if you or your organisation only act on a client' instructions, then you are considered as a processor, even if you or your organisation make some technical decisions about the proceeding of the personal data.

Originally published 10 August 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.