Data Processor vs. Data Controller
The terms "data processor" and "data controller" come from privacy regulations like GDPR, and they define your relationship to personal data and your responsibilities in managing it. Understanding which role you play is crucial for configuring the right DSR workflows in Transcend.
Transcend's DSR Automation product supports workflows for both scenarios, allowing you to handle requests appropriately based on your relationship to the data.
A data controller is an entity that determines the purposes and means of processing personal data. In simpler terms, if you decide:
- Why personal data is collected
- What personal data to collect
- How the data will be used
- How long to keep the data
...then you are acting as a data controller for that data.
Examples of when you're a data controller:
- Customer data for your own products and services
- Marketing data you collect from prospects
- Employee data for your own staff
- Website visitor data that you collect directly
A data processor is an entity that processes personal data on behalf of a data controller. If you:
- Process data according to another company's instructions
- Don't decide the purpose of data collection
- Act as a service provider to other businesses
- Only use the data as directed by your clients
...then you are acting as a data processor for that data.
Examples of when you're a data processor:
- A SaaS company processing customer data on behalf of its business clients
- A cloud storage provider hosting data owned by other companies
- A payment processor handling transaction data for merchants
- A marketing agency managing customer lists for clients
It's important to understand that most companies act as both data controllers and data processors, depending on the specific data and context.
For example, a B2B SaaS company like Twilio:
- Acts as a data processor when sending text messages to its clients' customers
- Acts as a data controller for its own marketing database and employee information
Your role determines how DSRs should be handled:
When you're the data controller, you:
- Receive requests directly from individuals (your users/customers)
- Have the authority to decide how to respond
- Need to coordinate fulfillment across all your systems and vendors
- Must provide direct communication with the requestor
When you're the data processor, you:
- Receive requests from your clients (the data controllers)
- Must follow their instructions regarding the data
- Need to report completion back to the controller, not the end user
- Should not contact the end user directly
Transcend supports different ingestion methods based on your role:
When you're the data controller, common ingestion methods include:
- Privacy Center: Users submit requests directly through your Privacy Center
- Manual Submission: Your team enters requests received through customer service channels via the Admin Dashboard
- API Integration: Your existing systems forward requests to Transcend via the DSR API
Upon completion, reports are delivered directly to the requestor through email or the Privacy Center.
When you're the data processor, common ingestion methods include:
- API Integration: Your clients send you requests via the Transcend API
- CSV Upload: Batch import requests received from your clients
- Admin Dashboard: Manually enter requests forwarded by your clients
When these requests are fulfilled, results are sent back to the client (the data controller), not to the end user.
With Transcend, you can configure different workflows for each role:
- Create separate data subject types for controller vs. processor scenarios
- Configure different authentication methods for each type
- Set up different notification templates based on the role
- Create custom fields to track the source of processor requests
This flexibility ensures compliance with privacy regulations while efficiently managing all your data responsibilities.