EU general data protection regulation (GDPR) - Checklist for controller versus processor

Introductory note

The following checklists are adopted from the ICO’s Guide to the GDPR and set out indicators as to whether you are a controller, a processor or a joint controller. The more boxes you tick, the more likely you are to fall within the relevant category.

How to use this checklist:

Before using the checklists, it is essential to first establish if your organisation is actually caught by the GDPR under Art 3, which sets out the extra-territorial test (see Overview — What is the GDPR and when does it apply to Australian organisations?). For eg, it is not uncommon for a party (such as a customer) who is based in the EU to attempt to classify an Australian organisation as a “processor” under the GDPR. However, the Australian organisation may in fact be merely a “recipient” in which case it is not directly caught by the GDPR and GDPR’s “processor” obligations do not apply to it.

Links to related content:

  • Overview - What is the GDPR and when does it apply to Australian organisations?