Same Data, Different Duties: Controller and Processor Models Compared

This panel will explore the practical and legal distinctions between data controllers and data processors, comparing the European/GDPR and Asian approaches with positions in Aotearoa New Zealand and Australia. Under the GDPR, controllers bear primary accountability and must impose prescriptive contractual requirements on processors. New Zealand and many Asian regimes acknowledge a similar distinction, but with less prescriptive obligations, particularly on processors. Australia does not currently adopt a controller–processor distinction under the Privacy Act 1988, although reform proposals signaled an intention to introduce a more GDPR-like allocation of responsibilities. We will examine how these legislative differences affect risk allocation, vendor due diligence and liability exposure.

What you will learn:

• Different approaches in Australia, New Zealand, Asia and Europe.

• Where accountability sits in outsourced arrangements.

• Appropriate governance and oversight structures to manage the risks.