GDPR Roles: Controller vs Processor
Under the GDPR, two key roles are defined: the data controller and the data processor. Understanding the difference is critical for compliance. A data controller is the party that determines the purposes and means of processing personal data. The controller decides why personal data is processed and how it is handled, and thus has the primary responsibility for meeting GDPR requirements. In contrast, a data processor is any party that processes personal data on behalf of the controller, following the controller’s instructions. Both roles have specific GDPR obligations. For an organization, correctly identifying its role is the first step in compliance.
Data Controller
A data controller has the main responsibility for GDPR compliance. Controllers make decisions about all aspects of data processing. They must ensure a lawful basis for processing (such as consent or contract), uphold data subjects’ rights, and secure personal data through appropriate measures. For example, if a company collects customer information through its website, that company is the controller of that data. The duties of a controller include:
- Defining purposes and means of processing personal data (deciding why and how data is used).
- Informing individuals through clear privacy notices or policies about what data is collected and why.
- Lawful basis: Establishing a legal justification (like consent or contract performance) for each processing activity.
- Security measures: Implementing technical and organizational safeguards (encryption, access controls, etc.) to protect the data.
- Data subject rights: Ensuring that individuals can exercise their rights (access, rectification, deletion, etc.) and responding to their requests promptly.
- Data breach reporting: Notifying the appropriate authorities and affected individuals of personal data breaches as required by GDPR.
- Accountability: Keeping records of processing activities (when required) and, if needed, appointing a Data Protection Officer (DPO).
Because of these duties, controllers bear the ultimate responsibility for ensuring data processing is lawful, fair, and transparent. Even employees of an organization are not separate controllers when they act under the organization’s instructions.
Data Processor
A data processor processes personal data only on behalf of the controller. Processors are typically external service providers. For example, a payroll company handling employee data for its client, or a cloud storage provider holding business customer data, are processors. A processor does not decide the purpose of processing and cannot use personal data for its own ends. When a controller engages a processor, GDPR requires a written contract (Data Processing Agreement) that binds the processor to specific conditions of GDPR (Article 28).
- Follow instructions: Process data only as the controller instructs and for the purposes specified by the controller.
- Security: Implement appropriate security measures (Article 32) to protect the data while in the processor’s control.
- Record keeping: Maintain a record of processing activities if required (for example, if the processor has 250+ employees or processes sensitive data).
- Assistance: Help the controller fulfill data subject requests by providing necessary information or actions (such as deleting data when instructed by the controller).
- Data breach notification: Inform the controller promptly if a personal data breach occurs so the controller can meet its notification obligations.
- Restrictions: Obtain the controller’s authorization before engaging any sub-processors.
Processors focus on the technical side and must provide sufficient guarantees to implement appropriate measures. They do not have to comply with all controller-level tasks (such as issuing privacy notices), but they are legally liable if they fail to meet their Article 28 obligations (like security and confidentiality).
Key Differences
The main differences between the two roles concern control and responsibility. The controller is in charge of the data and bears most GDPR responsibilities, while the processor acts under the controller’s direction. The controller decides on legal basis and interactions with data subjects, whereas the processor cannot do so. For example, only the controller directly deals with a person’s request to see their data; the processor would forward that request to the controller. The table below summarizes the key differences:
| Aspect | Data Controller | Data Processor |
|---|---|---|
| Determines purpose and means | Yes – decides why and how data is processed. | No – only processes data on behalf of the controller. |
| Compliance responsibility | High – must ensure all GDPR principles and requirements are met. | Limited – follows the controller’s instructions and focuses on implementing security measures. |
| Legal obligations | Must have lawful basis, notify breaches, uphold data subject rights, and keep records when required. | Must implement security measures, assist the controller, and follow contractual instructions. |
| Data subject interactions | Responds to data subject requests (access, correction, deletion, etc.). | Directs requests to the controller and assists as needed. |
| Contract (Article 28) | Requires a Data Processing Agreement with any processor. | Bound by a contract to process data only as instructed by the controller. |
| Typical examples | The organization collecting data (e.g. retailer, website owner, employer). | External service providers (e.g. payroll firm, cloud provider, email platform). |
Joint Controllers
Sometimes two or more parties jointly determine the purposes and means of processing. They are called joint controllers. In such cases, the organizations must define each party’s responsibilities in writing. They should inform individuals about the joint arrangement and who to contact for data protection matters. Both joint controllers share liability for compliance. For example, if two companies co-host an event and share attendee data to promote products, they act as joint controllers and must coordinate their data protection duties.
Sub-processors
A processor may subcontract certain tasks to another processor, known as a sub-processor. GDPR requires the original processor to get the controller’s approval before using sub-processors. The controller remains responsible for the sub-processor’s compliance. All GDPR obligations flow down through the chain. For example, if a marketing agency (processor) uses a cloud storage provider, that provider is a sub-processor, and the agency must ensure it follows the same data protection requirements by contract.
Examples
- A small online shop collects customer information on its site. The shop is the data controller of that information. If the shop uses an email service to send order updates, the email provider is a data processor under contract to the shop. The shop must ensure the email provider protects the data.
- A hospital holds patient records. The hospital is the data controller. If the hospital outsources transcription of medical notes to a third-party company, that company is a data processor. The hospital will have a processing agreement requiring the company to keep patient data secure.
Understanding the roles of controller and processor is essential under the GDPR. Each role has distinct legal obligations. Controllers bear the responsibility for determining processing purposes and ensuring overall compliance with data protection principles. Processors handle data on behalf of controllers and must follow strict contractual and security requirements. By clearly defining these roles and using appropriate Data Processing Agreements, organizations ensure that personal data is handled in accordance with GDPR requirements and that responsibilities are clearly allocated.