Comprehensive privacy legislation relies on creating strong obligations for all companies that handle consumers’ personal data.
One key element of those obligations is distinguishing between the companies that decide how and why a consumer’s personal data is collected and used – controllers – and the companies that process data on behalf of controllers. These companies are known as “processors.”
As a new fact sheet by BSA | The Software Alliance makes clear, this distinction is a bedrock principle of privacy laws worldwide and dates back more than 40 years.
Controllers and Processors: A Longstanding Distinction in Privacy – This document on the history of the controller-processor distinction outlines its roots dating back to at least the 1980 OECD privacy guidelines. It also contains a chart identifying more than a dozen privacy and data protection laws worldwide that reflect this distinction.
The fact sheet builds on other BSA resources focusing on the roles of controllers and processors under privacy and data protection laws worldwide. Other BSA resources include:
The Global Standard: Distinguishing Between Controllers and Processors in Privacy Legislation — Need more detail about controllers and processors? This quick guide helps explain these roles and why the distinction between them is important to protecting consumer privacy.
Consumer Rights to Access, Correct, and Delete Data: A Processor’s Role. This document focuses on what processors can – and cannot – do in helping controllers respond to consumer rights requests. This issue is critical to ensuring consumer rights created by any new privacy law function in practice for personal data held by processors.
The bottom line is that these longstanding and widespread concepts are crucial for comprehensive privacy legislation that protects consumer privacy and instills trust. Privacy laws should cover both controllers and processors, but must distinguish between these roles to effectively protect consumers.
