Back to posts
Compliance
GDPR Compliance

Who is the Data Controller? Who is the Data Processor? Working with hospitals’ dilemma

Jovan Stevovic
February 18, 2025
5 min read
Who is the Data Controller? Who is the Data Processor? Working with hospitals’ dilemma

When developing an app, especially when doing a pilot with hospitals, one of the most important questions you’ll encounter is: who is the Data Controller, and who is the Data Processor?

Or, is it possible for you to be both in different situations?

This seemingly simple question is a critical decision, particularly with sensitive patient data.

The basics: What’s a data controller and a data processor?

Before we delve deeper into the issue, let’s clarify what the terms Data Controller and Data Processor mean under the GDPR (General Data Protection Regulation) framework. These roles are central to ensuring that sensitive data, such as patient information, is handled correctly.

  • Data Controller: This is the party that determines the "how" and "why" of data processing. In simple terms, the Data Controller decides the purpose and means of processing personal data.
  • Data Processor: The Processor acts on behalf of the Controller and processes data according to their instructions. They don’t determine how the data is used but merely assist in the handling of it.

Hospitals as Data Controllers 🏥

In most cases, hospitals will be the Data Controllers when it comes to core healthcare services. Why? Because they have a direct link to the patients and are responsible for deciding how and why patient data is used. For example, if your app helps improve patient care or tracks health metrics, the hospital typically determines how this data is collected and used within their original purpose for processing your data: providing you with (health) care..

Hospitals generally control:

  • The purpose of your app’s data usage: The hospital decides how your app will benefit patient care and determines the goals of its usage.
  • The handling of patient data: The hospital often provides instructions on how data should be processed, ensuring that it aligns with medical and legal standards. Through these instructions, the hospital, as data Controller, will also have the power to limit the way and the activities you, as Processor can perform on the data. In the real world, the companies write their DPA for the hospital to sign, as they do with any other client company (and not vice-versa). Plus, the hospital personnel (doctors or nurses) will use the app, therefore making the ultimate decisions on what data is processed (and the purpose). They are the ones writing, storing, deleting, modifying all this data.

However, this doesn’t mean you’re off the hook. Sometimes, you might also act as a Data Controller, especially for specific non-core activities.

When can you become a Data Controller?

Even though hospitals typically control patient data, there are circumstances where you might step into the Data Controller role, particularly when using data for purposes beyond direct patient care. For example, if you collect data to improve your app, such as refining features based on usage patterns or testing new algorithms, you are likely determining the "why" and "how" of processing this data.

This is important because the GDPR places different responsibilities on Controllers versus Processors. As a Controller, you will need to ensure that your data practices are fully compliant, such as implementing data minimization, defining adequate retention periods, collecting informed consent where necessary, and ensuring transparency in how the data is used by providing data subjects with all relevant information.

Transparency is key here—patients (and hospitals) should understand why you need this data and how it will benefit them.

Being a Controller for specific processing operations, such as app improvement, means:

  • You decide how the data will be used for enhancing your product.
  • You are accountable for that decision, making sure it complies with GDPR requirements.

In many cases, you’ll find yourself acting as both Controller and Processor, depending on the specific activity involved. This dual role can be complex but manageable with the right agreements in place.

B2B relationships: Welcome to complexity and fragmentation!

In the B2B healthcare scenario, navigating the line between Controller and Processor isn’t always straightforward . Each hospital may have its own approach to determining who holds which role, and these criteria can vary significantly. This is why working with multiple hospitals can sometimes feel overwhelming in terms of data privacy compliance.

For instance, a hospital might say: "For patient care, we’re the Controller. But if you want to analyse usage data to improve your app, that’s on you!" This differentiation means that for certain activities, the hospital is the Controller, while for others, you are. Understanding these distinctions is crucial. 🚦

Data Processing Agreements (DPAs): Your new best friend

One of the most critical elements in managing these relationships is the Data Processing Agreement (DPA). This document outlines the roles and responsibilities of both parties concerning data processing. Hospitals often use standardized DPAs for all pilots or projects, but here’s a pro tip: don’t accept it as-is! 💡

Whenever you have room for negotiation, take the time to ensure the DPA accurately reflects the specific aspects of your project. This can include:

  • Clarifying the roles of both parties (Controller vs. Processor) for each processing activity.
  • Adding project-specific clauses that address your use of data for purposes like product improvement.
  • Ensuring clear instructions on how data should be processed, stored, and secured.

This agreement will serve as a safeguard, ensuring that both you and the hospital are clear on your legal obligations. A well-drafted DPA is essential in protecting your business and ensuring compliance with data protection laws.

If you need a DPA, we published a template for you for free. Check it out!

Navigating the Data Controller vs. Processor debate

When you’re piloting an app with hospitals, understanding the roles of Data Controller and Data Processor is essential for GDPR compliance. Hospitals will usually take on the Controller role, but there are scenarios where you will be the Controller, such as when using data for product improvement. 🎯

The key takeaway? Clarity is essential. Define your roles clearly in the DPA, communicate transparently with the hospitals, and stay compliant with GDPR guidelines. With a bit of foresight and the right legal framework, you can confidently navigate the complexities of data privacy in healthcare, ensuring both patient protection and business growth.

As you move forward, remember that working in healthcare means handling sensitive data responsibly. But by understanding these roles and setting clear expectations, you’ll be on the right path to creating a successful, compliant, and innovative product.

Need help figuring it out? We’re here to help! 🙋

Chino.io is the one-stop shop for solving all privacy and security compliance aspects.

As a partner of our clients, we combine regulatory and technical expertise with a modular IT platform that allows digital applications to eliminate compliance risks and save costs and time.

Chino.io makes compliant-by-design innovation happen faster, combining legal know-how and data security technology for innovators.

To learn more, book a call with our experts.

Still have questions?

Talk to an expert