Data controller is a person that processes personal data and determines the purposes and means of data processing.
Processing of data on the other hand is any action performed on data: collection, recording, storage, use, disclosure, photographing, transfer to third party, publication, erasure, destruction , etc.
For example, if a mobile application or web-page that you created remembers a user’s phone number, e-mail address, bank account number and stores them in a database, this qualifies as data processing.
Data processing is recording a conversation ‘for the purpose of improving a service’, sending advertising sms to customers, recording entry into and exit from a building, video recording of a place of employment or outdoor perimeter of a building.
Processing of personal data is photographing guests at your organization’s event and publishing the photos on your official Facebook page.
When personal data is processed by a specific individual within an organization, he or she acts on behalf of the organization rather than independently and the employer organization is still a data controller.
Data controller might be a private individual that processes data in relation to entrepreneurial or professional activities (e.g., as an expert or an attorney) and not for personal purposes.
Data may be processed via a data processor. Data processor is any individual or legal personal that processes data for the data controller or on its behalf. For example, if you decided to inform your customers about a new product via sms and hired a company to send the messages – that company is your data processor.
Data processor processes data on the basis of a legal act or a written agreement signed with a data controller. The agreement should necessarily define the extent of data processing, purposes of data usage, obligation to take measures for data security. If the agreement does not contain the relevant conditions, a liability might be imposed on data controller.
In a legal dispute with the data controller, data processor is obliged to immediately transfer all data at its disposal to the data controller. If a data processor ceases to operate, the data shall be immediately transferred to data controller.