Controllers, processors and subjects
Three core concepts in EU 2016/679 are:
- A controller is an organization that collects or generates personal data as a part of its business.
- A processor is an organization that stores or manipulates this data on behalf of the controller. The controller and processor are frequently the same entity, but this terminology allows for subcontracting situations.
- A data subject is the natural person about whom data is collected, stored or processed.
How the controller and data subject are related has consequences on the kinds of data that may be collected and how it must be protected.
Corporations and consumer data
This is likely the main scenario envisioned by the authors of EU 2016/679. Examples include banks, healthcare agencies or social network platform operators, all of whom have extensive data about their consumer/customers. In most cases, consumers do and are intended (by the EU) to have choice among multiple service providers.
Employers and employee data
Another type of relationship, of great interest to organizations operating human resources (HR) and identity and access management (IAM) systems, is between employers and workers. It is understood that some personal information must be collected from workers in order to undertake contracts with their employer, so consent by the worker to provide this information is pre-requisite to employment rather than freely given.
Healthcare, government and research
Other kinds of relationships, such as between healthcare provider and patient, between government and citizen or use of aggregate data for statistics or research, are regulated less stringently. This is because the nature of these relationships necessitates sharing of sensitive data -- financial data with tax authorities, health data with hospitals, population data with researchers, etc.