According to Article 4 GDPR – Definitions, a Data Controller means “the […] legal person, […] which, alone or jointly with others, determines the purposes and means of the processing of personal data” while the Data Processor means “a […] legal person […] which processes personal data on behalf of the controller”. The basic difference between the controller and the processor is that the controller has a large degree of autonomy in how it determines the processing operations and purposes for processing, while the processor has almost no autonomy – it processes the personal data according to the controller’s requests.
If you want to be a Data Processor, you should ensure logical separation of customers’ environments, full customer control on their tenants, ability to download/ delete their data, etc. You could allow your customers to connect to other providers via your ecosystem, whether your providers are controllers or processors (for your customers) or subprocessors (for your customers, but subcontracted by you).
If you want to perform telematics on customer data (such as recording performance data in order to improve your ecosystem), you might become a joint controller in the relationship with your customers.
At Advisera we have an EU GDPR Documentation Toolkit that can help you on your journey to becoming GDPR-Compliant using a step-by-step approach. It contains 39 document templates – unlimited access to all documents required by GDPR, access to video tutorials, email support, expert review of a document, and one hour of live one-on-one online consultations with a GDPR expert. It contains templates for Supplier Data Processing Agreements that you can use with your suppliers or with your customers, an International Personal Data Transfer Procedure as well as guidelines on how to fill the Standard Contractual Clauses needed for personal data exports outside of the European Union.
Please also consult these links: