Your company is selling toys online and ship globally. The business is supported by an E-Commerce system developed in-house and deployed to a public cloud with the Platform as a Service (PaaS). Your company collects customer data for the purpose of billing and shipping. As a security professional, you are identifying the role of your company and applicable laws and regulations in terms of privacy. Which of the following best describes the role of your company?
A. Data Owner
B. Data Custodian
C. Data Controller
D. Personally Identifiable Information (PII) Principal
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Data Controller.
Controller vs. Processor
GDPR Article 4 defines data controllers and data processors as below:
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Source: Controller vs. Processor
privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing personally identifiable information (PII) other than natural persons who use data for personal purposes
privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance with the instructions of a PII controller
natural person to whom the personally identifiable information (PII) relates
Source: ISO 29100:2011
Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.
Source: NIST Glossary