Over the course of a business arrangement, organizations often need to share and transfer data to various third parties in order to carry out the transaction. Almost every business relies on third parties to process personal data.
However, the transfer of personal data to a third-party may expose such data to certain privacy risks. The NDPA provides for certain obligations between data controllers, data processors, and other third-party processors and the need for a functional data processing agreement.
In this series of our #PrivacyPlease, we will analyze the relationship between data controllers and processors and what the provisions of the NDPA may mean for businesses.
Data Controllers v. Data Processors (Third Party Processors)
A data controller means an individual, private or public entity, agency, or any other body who, alone or jointly with others, determines the purposes and means of processing of personal data. A data controller is the party that determines why and how the data obtained from a data subject is processed. On the other hand, the NDPA defines a data processor as an individual, private or public entity, or any other body that processes personal data on behalf of or at the direction of a data controller or another data processor.
Essentially, a data controller collects data directly from the data subject, it controls said data, and determines how it will be processed by the data processor. While a data processor processes any data it receives in line with directions given by the data controller. Similarly, a third-party processor may be assigned to process data on behalf of a data controller or processor.