A data controller will determine the personal data which is to be collected from data subjects (those natural persons who the data belongs to) and why such personal data is to be collected. The data controller will therefore have overall control and responsibility over the data in question.
The data controller will also be responsible for determining the lawful basis on which data is collected, who data can be disclosed to, responses to requests by data subjects and the length of time data is to be retained/when the data is to be destroyed.
A data processor will need to ensure that data is processed (which includes data storage, forming databases using client personal data (such as email addresses, telephone numbers, physical addresses as so forth) in accordance with the data controller instructions.
The data processor will be responsible for the security measures in place to protect personal data, how data will be stored (and the IT systems used), transfers of personal data from one entity to another and the practicalities of the deletion or disposal of data.
Whilst typically an entity will be either a controller or a processor, there may be times when they act as both. For example if an entity is a processor which provides services to data controllers, the entity will likely be a controller os some personal data and a processor of other data. In some circumstanes, an entity may be a controller and processor of the same data set, where the entity is processing such data for different purposes.
However, where an entity is acting as both a processor and controller, it will need to be able to distinguish between the personal data it is processing as a controller and that which it is processing as a processor.
