Skip to main content
All CollectionsPersonal Data Inventory
What should I choose as my legal responsibility for a process?
What should I choose as my legal responsibility for a process?

Learn the differences between Controller, Processor and Joint-controller and when to use each.

Alex Franch Tapia avatar
Written by Alex Franch Tapia
Updated over a month ago

Controller

You are a controller if...

  • You determine the purpose or outcome of the processing, what personal data should be collected, and which individuals to collect personal data about.

  • The data you are processing is about your employees.

  • You have a direct relationship with the individuals who are the owners of the data.

  • You exercise professional judgement in the processing of personal data (e.g. Lawyers and Doctors).

You are the controller example

πŸ’‘ If you use Google Drive to store information, you are the owner of that information, meaning you decide when to update it, delete it, move it, or use it. In this scenario, you are the Controller, and Google Drive is the processor as they process information based on your instructions.

Processor

You are a processor if...

  • You do not decide what purpose or purposes the data will be used for.

  • You are following instructions from someone else regarding the processing of personal data.

  • You were given the personal data by a customer or similar third party, or told what data to collect.

  • You do not decide to collect personal data from individuals, do not decide what personal data should be collected from individuals, do not decide whether to disclose the data, or to whom, or do not decide how long to retain the data.

You are a Processor example

πŸ’‘ If you are a service provider and have a web app or mobile app, and people use your app to offer services (for example, if you are a CRM like Hubspot), then when offering your services, you are a processor.

Joint Controller

You are a joint controller if (this is rare)...

  • You have a common objective with others regarding the processing.

  • You are processing the personal data for the same purpose as another controller.

  • You are using the same set of personal data (e.g., one database) for this processing as another controller.

  • You have designed this process with another controller, or you have common information management rules with another controller.

Unless you are doing joint marketing/event activities with another company, in most cases you are either a Controller or Processor.

Related Articles
When do I need a Data Protection Impact Assessment (DPIA)?
How to reply to a Data Subject Access Request?
[Checklist] Data Processing Agreement
Choosing a Data Retention Period for UK companies
Did this answer your question?