What is the difference between a Data Controller and a Data Processor?
The GDPR divides organizations processing personal data into “data controllers” and “data processors.”
A Data Controller is the entity who determines the purposes, conditions and resources of the data processing and tells the processor what to do with the data. The Data Processor is the entity who processes the personal data on behalf of the Data Controller pursuant to the controller’s instructions. Data controllers must comply with the GDPR’s principles, including transparency and lawfulness of the processing. Data processors must act pursuant to the controller’s instructions and secure the data.
Brussels Airlines is a data controller for different personal data processes, such as for its principal mission, being the fulfillment of the flights booked by its passengers when booked directly with Brussels Airlines.
In case the data subject has booked a flight on Brussels Airlines through a travel agent or another company, then that company is the Data Controller and Brussels Airlines is the Data Processor.