In Canada, there is no distinction between data controllers and data processors. The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to all organisations that collect, use, or disclose personal information. The same can be asserted for the new Quebec Law 25 (ex Bill 64), as it does not explicitly outline which provisions are intended to apply only to data controllers, or to both controllers and processors.
Comparatively, the EU GDPR explicitly distinguishes between data controllers and data processors:
Data controller is defined as a 'natural and legal person, public authority, agency or other body which, alone or jointly, with others, determines the purposes and means of the processing of personal data.'
In other words, controllers exercise overall control over the purposes and means of the processing of personal data, they are the primary decision makers. Where two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are considered to be joint controllers. Conversely, they are not joint controllers if they process the same personal data for different purposes.
2. Data processor is defined as a 'natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.'
Thus, processors act on behalf of, and only on the instructions of, the controller. Processors receive instructions and have technical decision making power (storage, IT systems used, security measures…).
While the definition provided by GDPR provides helpful guidance, the determination of a clear line of responsibilities between who is the controller vs who is the processor proves challenging in the real world. To tackle this issue, the UK Information Commissioner’s Office sets out practical indicators to make such determinations.