On Demand Library
Created in partnership with
Data Controller vs. Data Processor
6:42
Legal Disclaimer 
The information provided in this video does not, and is not intended to, constitute legal advice, instead, all information, content, and materials available on this site are for general informational purposes only. The law changes fast, so information in the video may not constitute the most up-to-date legal or other information. 
Overview of Major Global Privacy Laws
General Privacy Law Principles
What Kinds of Companies Need to Worry About Health Data?
Overview of US Privacy Laws
Who Engages in a Data Breach?
Transcript

00:08
Adam Stofsky
Shannon I'd like to ask you about, I think is a common source of confusion in privacy law is the distinction between a data processor on the one hand and a data controller on the other. I know different laws refer to these. 


00:23
Shannon Yavorsky
Roles in different ways, but I think the distinction remains the same. 


00:26
Adam Stofsky
Can you explain what that is and why it's important? 


00:30
Shannon Yavorsky
Yeah, it's a really interesting topic. It really started in Europe with the GDPR, which set out the concept of a data controller, which is an entity like the company that determines why data is processed and how it's processed. So why the data is being collected and how it's being collected and the reasons for which it's collected. That's really what the data controller role is. And then the processor is more like a dumb pipe, right? Like the processor is only supposed to do what the data controller asks it to do. Think about like a cloud storage provider. They're just supposed to store the data. They're not supposed to use it for any other purpose other than to simply store that data like they're a one trick pony. 


01:18
Shannon Yavorsky
And that distinction is really critical because different obligations under the GDPR apply to you if you're a controller versus if you're a processor. So, for example, the data controller has really the obligation to present the user with a notice. So why the data is being collected, what it's being used and shared for, and the data processor really just has to act on the data controller's instructions. There's like a data processing agreement that's in place between the parties that says, hey, data processor, you can only use this data for this purpose and it's set out in the agreement and that could be storing the data for me and for no other reason. And then it will also say, you, data processor, will keep that data secure. You'll let us know if there are any data breaches. 


02:10
Shannon Yavorsky
You'll also let us know if an individual asks you to delete their data. And you're going to let us know first because really, that's our data. So that in Europe is the distinction between a controller and a processor. And that concept has been widely adopted under the 13 different well, as of today, 13 different state privacy laws, starting with California, that for some reason decided they didn't want to use the words controller and processor and instead used the words business, which is kind of like a controller and service provider, which is really like a data processor. But fundamentally it's a similar concept. Like the business has the obligation to present the user with the privacy notice and the service provider really a lot like the processor has to really just follow the instructions of the data controller. 


03:03
Shannon Yavorsky
There has to be a data processing agreement in place and very similar obligations. You'll notify us of a data breach. You'll only use the data for these set purposes. You're not going to retain it for any other purpose, you'll return it to us at the end of the agreement. So these concepts are really important because they really describe what obligations will attach to the organization depending on whether they're determined to be a controller or processor or business and service provider. 


03:35
Adam Stofsky
I kind of like the business service provider language. I don't know, it seems intuitive to me because a data controller, the way you're describing it's basically their data, right? This is like your company's, I don't know, maybe it's your customer list or your marketing list or information about your customers, like purchase history, whatever you have. 


03:56
Speaker 4
Right. 


03:56
Adam Stofsky
That's your data. And the processor are like people you're. 


04:03
Shannon Yavorsky
Paying money to do things usually, I guess, paying money to do things with that data. 


04:06
Speaker 4
Right. 


04:06
Adam Stofsky
It could be cloud storage, payroll providers, even like your email provider. Right. All of these different companies have your data. That's why they're subject to these laws as well, is that right? 


04:20
Shannon Yavorsky
Yeah, that's right. These processors or service providers, they're just providing services. And the idea is that they shouldn't be using that data for any reason other than simply providing those services to the business or like the data controller. And that's set out in the contract, which really outlines exactly what the data processor or the service provider is supposed to be doing. 


04:46
Speaker 4
So a data controller, I'm assuming, has more power to use this data, but. 


04:51
Adam Stofsky
They also have more obligations under these laws. Is that right? Whereas a service provider or a processor, they say, hey, well, we're just the processor and we can only process the data, but kind of almost in exchange, we're going to have fewer obligations. Those obligations are really on the controller. Is that a good way of thinking about it? 


05:11
Shannon Yavorsky
Yeah, that's a really good way to think about it. I think that's exactly right. 


05:15
Speaker 4
Okay, I have one more question, actually. 


05:17
Adam Stofsky
I probably have more than one more, but this is a really key one. 


05:21
Speaker 4
Is it the case that some companies. 


05:23
Adam Stofsky
Are processors and some are controllers? I mean, if you're a cloud storage company, you have customers also, you have your own data. 


05:30
Shannon Yavorsky
Can you be both that's controller processor, like 301? Yeah, you can be a controller and a processor. So for example, like a large cloud storage provider, they're mainly a data processor. And they enter into data processing agreements that say, we're just a processor, we're only going to store your data in the cloud. But to your point, they're also a data controller for certain buckets of data. They have employees, so they're a controller of their employee data. They're a controller for the customer data, like the name of the customer, the individual at the company. They probably also have marketing data, like on their website. They probably have cookies that they set and they're a controller for that data as well. So there are lots of circumstances in which processor can also be a data controller. 


06:26
Shannon Yavorsky
That's why it's really important to work out what your designation is, depending on what you're doing with the data. 


06:33
Adam Stofsky
So you'll be a processor for some. 


06:35
Speaker 4
Data and a controller for other data. 


06:39
Shannon Yavorsky
You close. 

PDFs
Audio
Share Video
Embed Video
© 2024 Briefly
Terms of Use
Privacy