Controllers, processors and sub-processors
Before the processing of personal data begins, it is necessary to define who is considered the controller of the processing, whether there is a joint controller and whether it is possible to enter into a contractual relationship with the processor or even a subprocessor, as appropriate.
Controllers
The controller is the person who decides the purpose and methods of processing personal data. He or she can be an individual, a company, a government or another person.
For example, The Icelandic Data Protection Authority is the controller of the processing of all personal data carried out by the institution.
Joint-controllers
If a particular processing is carried out by two or more controllers, they can be considered as joint controllers.
The joint controllers are both/all responsible for the specific aspects of the processing and must prepare a special agreement on the division of responsibility before the processing begins.
Such an agreement must define who is responsible for what, for example who is responsible for providing individuals with information about the intended processing.
Processors
A processor is the person who undertakes the processing of personal data for the controller on the basis of a processing agreement, for example a software company or a host. It can be an individual, a company, a government or another entity.
The controller shall only seek processing facilities that provide adequate guarantees for the protection of data subjects and for appropriate technical and organisational measures, in order to ensure that the processing meets the requirements of the data protection legislation.
Before the controller concludes an agreement with the processor on the processing of personal data, he/she must ensure that the processor can guarantee that appropriate measures will be taken to ensure that the processing of the personal data meets the requirements of the Data Protection Act.
Example
For example, a bank negotiates with an advertising agency to send a commercial email to its customers. The bank is the controller, but the advertising agency is the processor, and a special processing agreement must be made for this processing of personal data, which meets the requirements of the Data Protection Act (GDPR).
However, it should be noted that while the advertising agency is a processor in this particular contractual relationship, it is considered to be an independent controller in respect of the processing of personal data that is not carried out on the basis of a processing agreement.
When the advertising agency processes personal data on its own employees or customers, for the purposes of its own operations, it is considered to be the controller.
Guidelines for processors
Data Protection has prepared (in icelandic) that may be useful to look at.
Sub-processor
In some cases, the processor may wish to outsource some of the tasks that it has undertaken in a processing agreement to a third party, for example another company, which is then known as a sub-processor.
However, this is not permitted unless the processor has received prior written permission from the controller.
Example
An example of this is when a production company (controller) negotiates with a software company (processor) to purchase a service that includes the storage of data, which includes personal data. The software company then negotiates with a host (sub-processor) that offers the hosting of data in a cloud.
In this example, the production company should not have to submit its data to a cloud of computers by a host that the production company has no knowledge of and has not approved.
The software company must therefore obtain a license from the production company before transferring the data to the host.
