top of page
  • Writer's pictureDeborah

In Canada, there is no distinction between data controllers and data processors. The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to all organisations that collect, use, or disclose personal information. The same can be asserted for the new Quebec Law 25 (ex Bill 64), as it does not explicitly outline which provisions are intended to apply only to data controllers, or to both controllers and processors.

Comparatively, the EU GDPR explicitly distinguishes between data controllers and data processors:

  1. Data controller is defined as a 'natural and legal person, public authority, agency or other body which, alone or jointly, with others, determines the purposes and means of the processing of personal data.'

In other words, controllers exercise overall control over the purposes and means of the processing of personal data, they are the primary decision makers. Where two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are considered to be joint controllers. Conversely, they are not joint controllers if they process the same personal data for different purposes.

2. Data processor is defined as a 'natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.'

Thus, processors act on behalf of, and only on the instructions of, the controller. Processors receive instructions and have technical decision making power (storage, IT systems used, security measures…).

While the definition provided by GDPR provides helpful guidance, the determination of a clear line of responsibilities between who is the controller vs who is the processor proves challenging in the real world. To tackle this issue, the UK Information Commissioner’s Office sets out practical indicators to make such determinations.

Recent Posts

See All

The Secured Overnight Financing Rate (SOFR) is a broad measure of the cost of borrowing cash overnight collateralized by Treasury securities. SOFR is the overnight interest rate for US dollar-denomina

13/06/2023 - Canadian Securities Administrators (CSA) SEDAR+ go-live date. All issuer filings, cease trade orders and disciplined list entries will be filed in SEDAR+ 16/06/2023 - OSFI consultation pe

On May 11, the Bank for International Settlements (BIS) published a Handbook on how central bank digital currencies (CBDCs) could work for offline payments, defined as a “transfer of value between dev

bottom of page