Why do we need Data Processors or Data Controllers?
Data Controllers and Processors are necessary in order to remain compliant with the GDPR and other privacy regulations (such as the DPA and CCPA) - especially in regards to cookies.
What is a Data Controller?
A Data Controller controls the procedures and purposes of data usage - deciding how and why data that is collected is going to be used by the company collecting it.
What is a Data Processor?
A Data Processor processes this collected data that it is given by the controller (but they do not own or control this data). In many cases the Data Processor is a third party such as Google, Facebook, or LinkedIn (to give some examples).
Is it possible to be both a Data Controller and a Data Processor at the same time?
Yes, in some cases it is possible to be both, but this is relatively rare.
What is a sub-processor?
A sub-processor is any other business or contractor that personal data of users may go through. For instance, if you are offering IT services and you use some Amazon Web Service products, then Amazon would be considered a sub-processor in this regard.
What does this all mean for me and my website?
As mentioned above, they are both necessary to become and/or remain compliant with the GDPR. As a Data Controller, you are responsible for:
Collecting, managing, and access to data:
If a user requests their data, then you must be able to meet this request either by finding it on your own server, or getting in touch with the processor that is handling the data on your behalf.
Only Data Controllers are allowed to to collect personally identifiable information from data subjects (users), meaning they are also responsible for determining their legal authority to obtain said data.
Keeping records of consents:
Under the GDPR, Data Controllers must keep records of consent in order to process any user information - meaning that if you are the Data Controller, then you are responsible when the Data Protection Authorities ask to see consents collected.
Appointing a Data Protection Officer:
Regardless of whether it is a Data Process or a Data Controller - both must appoint a Data Protection Officer when working with personal data.
Even though data controllers and data processors have slightly different roles, they are both key (along with a DPO) in remaining compliant.
If a website visitor asks to see the consent they gave to cookies on my website, how is the correct consent found?
If a website visitor asks to see the consent they gave, please ask them to have their user_uid handy. From this, we can then find their consent in our records.
How do I find my user_uid to give to you so I can see the consent I have given?
To find your user_uid property, please take a look at our article What if a user requests their consent data?.
If I'm acting as the Data Processor, does that mean because I use your services that I have to sign a Data Processing Agreement with Cookie Information?
No, it is not necessary to sign a Data Processing Agreement with us because we do not collect or store any personal information in order to run and provide our services.
If you would like to see what data we do collect (as well as how it's stored and formatted), please see article Do we need to sign a data processing agreement with Cookie Information?
Didn't find the answer you needed? Write to us at firstname.lastname@example.org