A game of roles

In general, there are only two roles under the GDPR: the controller and the processor. You will hear about a third role a lot, the sub-processor, but it isn't an official role under the GDPR, but we'll talk about this later.

Picture of the autor Rutger Buijzen

Rutger Buijzen

Chief Technology Officer

First up: the controller

The controller is the first in line when it comes to the responsibility to comply with the GDPR. This is the company (or person) in whose name the personal data is gathered and processed, and who is accountable for any breaches of the regulation. The controller is in control of which data should be gathered, for which purpose, under which legal basis, and for how long it's stored amongst others.

The processor

All this data processing is difficult, of course, and that's why the controller has the right to hire 3rd parties to process data for them. This party is then called, you guessed it, the processor. But the processor is only allowed to process data for which it received written instructions from the controller. So when the processor wants to process some new sort of personal data or change the way it's processed, they will need approval from the controller before it's allowed to be processed.

The sub-processors

And now it gets interesting! The processor also has the right to hire 3rd parties to process the data it's been hired to process! To keep all these parties separate we usually talk about sub-processors when a processor hires a different processor to process its data. But again, there are rules. A processor is only allowed to let a sub-processor process it's data if it has written consent from the controller and all data has to be processed under the same rules as instructed by the controller. This is challenging in practice, but we're going to explain how you deal with this later.

Upcoming topic: accountability and penalties.

Let's see why everyone is so scared about GDPR and if it's really justified.