It remains an interesting doctrine in the AVG: The relationship between the processor and the data controller.
The controller is responsible for the personal data processing of data subjects. This is the organization (or other entity) that determines the purpose and means of personal data processing.(1) A processor is the organization that processes personal data on behalf of the controller.(2)
A well-known illustrative example is the outsourcing of payroll. The organization places this work with an external company, an activity that involves personal data processing. The organization is then the data controller, the external company the processor.
There may also be two controllers of processing.(3) Then both organizations establish the purposes and means. This will be the case when the external company doing payroll processing also processes the provided data for its own purpose.(4) In practice, it can be difficult to determine exactly who is the processor and who is the data controller. Here is a sample list of different situations that can help you determine what position you and the organizations you work with have with respect to personal data processing.
Footnotes
(1) Art. 4 subsection 7 AVG.
(2) Art. 4(8) AVG.
(3) Art. 26 AVG.
(4) https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/avg-europese-privacywetgeving
