Concepts of controller and processor

Under the APPI, no specific distinction is drawn between the obligations imposed on controllers and processors. The absence of this distinction does not affect the level of protection because all PIHBOs are subject to all provisions of the Act. A PIHBO that entrusts the handling of personal data to a trustee (the equivalent of a processor under the GDPR) remains subject to the obligations under the APPI and Supplementary Rules with regard to the data it has entrusted. Additionally, under Article 22 of the APPI, it is bound to "exercise necessary and appropriate supervision" over the trustee. In turn, as the PPC has confirmed, the trustee is itself bound by all the obligations in the APPI and the Supplementary Rules.