Data Controller vs Data Processor
Understanding the critical distinction between controllers and processors under GDPR and other privacy laws.
What's the Difference?
Under GDPR and many other privacy laws, organizations handling personal data fall into two main categories: data controllers and data processors. Understanding which role you play is crucial because it determines your legal obligations and liability.
Data Controller
The entity that determines the purposes and means of processing personal data. They decide why and how personal data will be processed.
Data Processor
The entity that processes personal data on behalf of the controller. They follow the controller's instructions and don't determine purposes or essential means.
Why This Matters
The distinction is critical because controllers have greater legal responsibilities and potential liability. Misidentifying your role can lead to compliance failures and regulatory penalties.
Real-World Examples
Let's look at practical examples to clarify these roles:
Example 1: E-commerce Company
Controller
The e-commerce company decides to collect customer names, emails, and shipping addresses to fulfill orders. They determine why and how to collect data.
Processor
The email marketing service (Mailchimp, SendGrid) that sends order confirmations. They only process data per the company's instructions.
Example 2: HR Department
Controller
The company's HR department decides to collect employee performance reviews, salary information, and health records for employment purposes.
Processor
The payroll service provider (ADP, Gusto) that processes salary payments based on HR's instructions and data.
Example 3: SaaS Platform
Controller
A project management SaaS (like Asana) is the controller for their own users' account data - they decide what data to collect for the service.
Processor
The same SaaS is a processor when customers input their employees' personal data into the platform - they process per customer's instructions.
Data Controller Responsibilities
As a data controller, you have primary responsibility for GDPR compliance:
Determine Purposes & Means
Decides why and how personal data is processed
Legal Basis
Ensures there's a lawful basis for all data processing activities
Data Subject Rights
Responds to access, deletion, and other data subject requests
Breach Notification
Notifies authorities and individuals of data breaches
Compliance Oversight
Ensures overall GDPR/privacy law compliance
Processor Selection
Chooses and oversees data processors
Data Processor Responsibilities
As a data processor, you have specific obligations under GDPR:
Follow Instructions
Process data only according to controller's documented instructions
Security Measures
Implement appropriate technical and organizational security
Processing Records
Maintain records of all processing activities
Breach Reporting
Notify controller of any data breaches without undue delay
Sub-processor Management
Obtain controller authorization before engaging sub-processors
Assistance & Cooperation
Help controller respond to data subject rights requests
Key Differences at a Glance
| Aspect | Data Controller | Data Processor |
|---|---|---|
| Decision-Making | Determines purposes and means of processing | Processes data only on controller's instructions |
| Liability | Primary responsibility for compliance | Liable for specific breaches of obligations |
| Data Subject Requests | Must respond directly to individuals | Assists controller in responding |
| Contracts Required | Must have contract with processors | Must have contract with controller |
| DPO Requirement | May be required to appoint DPO | May be required to appoint DPO |
Data Processing Agreements (DPAs)
GDPR Article 28 requires a written contract between controllers and processors. This Data Processing Agreement (DPA) must include:
- Subject matter and duration of the processing
- Nature and purpose of the processing
- Type of personal data and categories of data subjects
- Obligations and rights of the controller
- Security measures the processor must implement
- Sub-processor authorization requirements
- Data deletion or return after contract termination
- Audit rights for the controller
Joint Controllers
Sometimes two or more organizations jointly determine the purposes and means of processing. This makes them joint controllers. For example:
Example: Facebook Page Insights
A company running a Facebook Business Page and Meta are joint controllers for the processing of visitor data for page insights. Both have a role in determining how the data is processed.
Joint controllers must have a transparent arrangement defining their respective responsibilities for GDPR compliance, particularly for responding to data subject rights requests.
When a Processor Becomes a Controller
A processor can become a controller if they:
Process Beyond Instructions
If a processor processes personal data for their own purposes beyond the controller's instructions, they become a controller for that processing.
Determine Purposes
If a processor starts determining the purposes and means of processing (not just following instructions), they become a controller.
Example: If your email marketing processor (originally just sending emails per your instructions) starts using your customer data to train their own AI models, they've become a controller for that AI training purpose.
Determining Your Role: Key Questions
Ask yourself these questions to determine if you're a controller or processor:
1. Who decides WHY to collect personal data?
If you decide the purpose, you're likely a controller.
2. Who decides HOW to process the data?
If you determine the essential means (not just implementation details), you're likely a controller.
3. Are you following someone else's instructions?
If yes, you're likely a processor.
4. Do you have a direct relationship with data subjects?
Controllers typically have direct relationships; processors often don't.
Need Help with GDPR Compliance?
Whether you're a controller or processor, we can help you create compliant policies and documentation
Related Articles
What is GDPR?
Learn about the EU's General Data Protection Regulation and its key requirements.
What is Personal Data?
Understand what qualifies as personal data under GDPR and other privacy laws.