Data Processor vs. Data Controller

Transcend's DSR Automation product supports workflows for both data processors and data controllers. The terms "data processor" and "data controller" are common terms used in the European GDPR to describe ownership and responsibility over data.

Most B2B businesses operate as a data processor over some types of data that is processed. An example of a business that may act as a data processor would be Twilio. Twilio is a B2B SaaS company that offers APIs to other businesses for programmatically sending text messages. If a company called "Acme Corp" were to be a customer of Twilio, and Acme Corp used Twilio as a vendor to send text messages to Acme Corp users, then Twilio would be the data processor for any data that is collected on behalf of Acme Corp in order to perform the services of texting that user.

But every business, in one form or another, is a data controller for some types of data. Even Twilio would be a data controller for any personal data that was collected on Twilio employees or for marketing data that Twilio collects in order to acquire new Twilio customers.

Using Transcend, B2B companies can encode different workflows for deleting and accessing data for both data processor and data controller use cases, as well as anything in between.

Transcend Product Architecture for DSRs for data processors
Transcend Product Architecture for DSRs for data controllers

We offer several methods of ingesting data subject requests, wether you are processing DSRs as a data processor, or a data controller.

If you act as a data processor for another company, that company will need to send you data subject requests that they reieve from their end-users. DSRs of this type are most often received via the following options:

  • Transcend's API
  • A CSV upload of requests from another data processor or other source
  • Through your Transcend support team
  • On your own Admin Dashboard

When these requests are fulfilled, you can either serve the results via your API or have them be downloaded by your support team. For erasure jobs, there will simply be a confirmation that deletion has completed; for access requests, you can download and propagate the access report generated.

For B2C organizations, the most common way to get requests is through the Privacy Center. Your business is the data controller that decides how to process your customers' personal data. For requests not received through the Privacy Center, a team member of your organization can manually make a request through the Admin Dashboard or the DSR API. Upon completion, a report is sent via email, or made available for review and download directly in the Privacy Center.