Are you a data controller or data processor? Let’s find out.
Who controls and who processes your visitors' data?
You have a website, or a web shop, and you would like to analyze your website’s traffic and how your visitors get onto your site. You could use a data analytics provider like Google Analytics for the purpose and with the insights you can develop strategies to boost your sales.
However, when collecting and processing data there are certain measures you need to take in order to comply with EU regulations like the General Data Protection Regulation (GDPR).
First, let’s take a look at who is who and what you need to do as a website owner.
THE GDPR DATA CONTROLLER
Simply put, the data controller controls the procedures and purposes of data usage.
The data controller decides how and why data is going to be used by a company/organization.
This is typically the owner or manager of the company website.
THE GDPR DATA PROCESSOR
Processes any data that the controller provides. In short, the data processor processes data on behalf of the controller and does not own or control the data they process.
This is usually a third-party external to the company e.g. Google, Facebook, Addthis, Hotjar, LinkedIn etc.
Example: Collect and process data with Google Analytics
Let’s get back to our example with Google Analytics.
To start analyzing your website traffic, you install Google’s tracking code.
Your website starts collecting (through Google Analytics’ cookies) data and Google starts processing the data on behalf of the data controller – you.
You control data, Google processes the data (on your behalf).
Therefore, you are the data controller and Google the data processor.
However, if you provide the data to Google Analytics and they come up with the purposes and means of processing, then you are both data controllers, but Google Analytics is also (still) the processor.
Why is this important to me and my website?
If you want to become – or stay – GDPR compliant on your website, there are certain measures you need to take.
1) Collecting, managing and access to data
The European Commission’s guidance holds the data controller to be the principal party responsible for collecting, managing, and providing access to data.
For example, if a user (the data subject) requests his or her data, the controller (you) would have to access it from your servers or from the processor you have contracted to handle the data.
Only data controllers collect personal data from data subjects. Because of this, data controllers are also responsible for determining their legal authority to obtain that data.
Any time a data processor becomes involved in collecting data, they also become a data controller and all of the above-mentioned responsibilities apply to them as well.
2) Keeping records of consents
Under the GDPR, data controllers are required to keep records of the consents given to process website users’ personal information.
This also means, that if you are the data controller, you are responsible when the Data Protection Authorities ask for your website users’ cookie consents.
3) Appointing a Data Protection Officer
Both controllers and processors must appoint a Data Protection Officer (DPO) when they work with website visitors’ personal data.
Although controllers and processor have different obligations under the GDPR, their roles are also complementary in reaching the goals of transparency and accountability.
Working together promotes compliance and helps both parties avoid the new, heavy economical penalties which come with violating GDPR rules.
That sounds like a lot, who can help my website?
Cookie Information can.
With Cookie Information’s Consent Solution, you can become complete ePrivacy and GDPR compliant on your website with a few simple steps.
Try Cookie Information’s Consent Solution and get a GDPR valid cookie consent pop-up banner.
Are you ready to become compliant on your website? Try our Consent Solution today. Free trial, no credit card needed.