Question related to Controller and Processor with respect to GDPR

Article 4 paragraph 7 GDPR defines ‘controller’ as the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

It means that who collects data is the controller. If you are developing an App that will collect personal data, you (or your company) will be the data controller. You need to declare who the data controller is and inform your data subjects clearly in the privacy notice. Most likely it will be the company and not the person.

The controller will need to comply with GDPR requirements for data processing.

•  Find the legal basis of data processing
• Inform in a transparent manner the data subject about purposes and means of processing, the data retention period.
• Develop your app according to the principle of privacy by design and by default
• Follow the principles for data transfers if any.
• Adopt security measures complying with GDPR requirements
• Process data according to GDPR legal requirements.

Article 4 paragraph 8 GDPR defines the processor as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

Therefore, the data processor is someone who acts on behalf of the controller. Let’s make an example with your app. You are the developer of the app and you collect users’ personal data. Maybe you are going to share these data with third parties like Google Analytics, which provide you some services to implement the functionalities of your app. Third parties will act as the data processors.

It can also be a web agency that sends on your behalf customized emails to your customers. They will process email addresses (which are personal data) on your behalf.

The data processor needs to be appointed by the data controller who will instruct on how to process data, what principles follow, what data retention period, and so on. The data controller has also the power to control and verify if the processor complies with the data processing principles set. 

The responsibilities for not complying with GDPR requirements are liabilities towards data subjects for any damage caused by the data processing and also fines from the Data Protection Authorities. The fines are severe. Infringements are divided into two classes: infringements of data controller and data processor duties have fines up to 10 000 000 EUR or 2% annual turnover (whichever is higher), while the infringements of basic GDPR principles (like lawfulness of processing) has fines of 20 000 000 EUR or 4% annual turnover (whichever is higher). 

Here you can find more information about data transfers, controller and processor:

• Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
• EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
• First steps to take to reach GDPR compliance: https://advisera.com/eugdpracademy/blog/2018/10/08/first-steps-to-take-to-reach-gdpr-compliance/
• Implementing 3 main accountability principles under the EU GDPR: https://advisera.com/eugdpracademy/blog/2017/09/27/implementing-3-main-accountability-principles-under-the-eu-gdpr/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• The obligations of controllers towards Data Protection Authorities according to GDPR: https://advisera.com/eugdpracademy/blog/2017/12/11/the-obligations-of-controllers-towards-data-protection-authorities-according-to-gdpr/

You can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//