It’s easy to get stuck on one question when you’re working on General Data Protection Regulation (GDPR) compliance: Are you a data controller or a data processor?
The answer matters because it shapes what you’re responsible for, what you need to document, and what you need from your vendors. In this article you’ll learn what a GDPR data controller is, how controllers differ from processors, what each role is expected to do, and how to handle common real-world scenarios.
At a glance
- A GDPR data controller determines why personal data is processed and the core means of that processing.
- Controller vs. processor status is based on actual decision-making power, not contracts or labels.
- Data controllers hold primary GDPR accountability, including lawful basis, transparency, data subject rights, and processor oversight.
- GDPR roles are assigned per processing activity, so one organization can be both controller and processor in different contexts.
- Misclassification risk is common in SaaS, marketing, analytics, payments, and HR services and increases enforcement exposure.
- Joint controllership applies when parties jointly decide purpose and essential means and requires an agreement with clear user transparency.
What is a data controller?
Under the European Union’s General Data Protection Regulation (GDPR), a data controller is the natural person or legal entity that decides why personal data is processed and how that processing takes place.
This definition comes from Art. 4(7) of the GDPR, but it doesn’t need legal language to make sense for your business. In plain terms, if your organization decides the purpose of processing personal data — for example, to run a website, manage customers, or market a product — and determines the main means of doing so, you are acting as the GDPR data controller.
The key test is decision-making. A data controller answers two core questions:
- Why is the personal data being processed?
- At a high level, how will that processing happen?
If your organization answers those questions, you are the controller, even if another company carries out the processing on your behalf.
Who can be a data controller?
Most data controllers are organizations, but the GDPR does not limit the role to businesses alone. A data controller can be:
- An organization: This includes companies, nonprofits, and other legal entities that collect and use personal data in the course of their activities.
- A public authority: For example, a government body or regulator that often acts as a data controller when processing personal data to perform its official tasks.
- An individual (in rare cases): An individual can be a data controller if they process personal data outside of a purely personal or household context, such as operating a business as a sole trader.
One organization can have different roles
It’s also important to know that being a data controller is not a permanent label. The same organization can act as a data controller in one situation and a data processor in another.
For example, a software provider may be the data controller for personal data collected on its own website, but the data processor when it handles customer data on behalf of a client using its platform. The role depends entirely on the specific processing activity, rather than on job titles, contracts, or how a company describes itself.
Understanding this distinction is the first step toward correctly assigning responsibilities and meeting GDPR requirements.
GDPR data controller vs. data processor
GDPR data controllers and data processors have very different legal responsibilities.
Controllers carry primary accountability under the GDPR, including liability for compliance failures, while processors have narrower — but still important — obligations. When roles are unclear or incorrectly assigned, organizations increase their exposure to enforcement action, fines, and contractual disputes.
This distinction is often misunderstood in SaaS, marketing, and analytics environments. Modern data ecosystems rely heavily on third parties, platforms, and integrations, which can blur responsibilities. Titles like “vendor” or “partner” don’t determine GDPR roles. What matters is who decides the purpose and main means of processing personal data.
The table below shows the core differences between a data controller and a data processor.
Data controller vs. data processor: key differences
| Aspect | Data controller | Data processor |
| Decision-making authority | Decides why personal data is processed and determines the main means of processing. | Processes personal data only on the documented instructions of the controller. |
| Purpose of processing | Defines the purpose, such as providing a service, running marketing campaigns, or fulfilling legal obligations. | Does not define the purpose and cannot reuse data for its own objectives. |
| Legal responsibility | Holds primary responsibility for GDPR compliance, including lawful basis, transparency, and user rights. | Responsible for following the controller’s instructions and implementing appropriate safeguards. |
| Liability for violations | Can be held directly liable for GDPR breaches, including administrative fines and enforcement actions. | Can also be liable, but typically in relation to security failures or acting outside instructions. |
| Contractual obligations | Must put Data Processing Agreements (DPAs) in place and ensure processors meet GDPR requirements. | Must enter into a DPA and process data only as agreed with the controller. |
| Example use cases | A company collecting customer data through its website or app | A cloud service provider processing customer data on behalf of that company. |
Most GDPR compliance risks arise when organizations assume they are processors, when they are actually acting as controllers. Getting this distinction right is critical before you define your responsibilities, assess risk, or select compliance tools.
Responsibilities of a GDPR data controller
Under Art. 24 GDPR, data controllers are responsible for implementing appropriate technical and organizational measures and being able to demonstrate compliance.
While this is particularly important when processing forms part of the organization’s core activities, it remains true even when these activities are outsourced to third parties.
Using vendors, third-party platforms, or processors does not transfer accountability. In fact, the more external entities are relied on, the greater the potential liability for a controller.
If you decide why and how personal data is processed, you are responsible for ensuring that processing complies with the GDPR from start to finish, even if your company is not directly performing the data processing.
These responsibilities are rooted in the GDPR’s data protection principles, and apply across the full data lifecycle, from collection and use, to storage, sharing, and deletion. Below are the key obligations every GDPR data controller must meet.
Selecting a lawful basis for processing
Before any personal data is processed, the data controller must identify and document a valid lawful basis. This could include consent, performance of a contract, legal obligation, legitimate interest, or another basis defined by the GDPR.
Controllers are responsible for choosing the correct lawful basis and being able to justify it. This decision affects how data is collected, how long it is used and retained, and what rights apply to users. Processors cannot make this determination on the controller’s behalf.
Providing users with transparency and information
Data controllers must clearly inform users about how their personal data is processed and what their rights are. This information is typically provided through a privacy policy and/or privacy notices and must be easily accessible, clear to the average person, and kept up to date.
Transparency includes explaining what data is collected, why it is needed, how long it will be stored, and who it will be shared with. If data processing activities change, controllers are responsible for updating their disclosures accordingly.
Managing data subject rights
The GDPR grants data subjects specific rights over their personal data, including the right to access, correct, delete, or restrict processing. Data controllers are responsible for enabling these rights and responding to requests within required timeframes.
Even when a data processor is involved in fulfilling a request, the controller remains accountable for ensuring the request is handled correctly and on time.
Conducting data protection impact assessments (DPIAs)
When processing activities are likely to result in a high risk to individuals’ rights and freedoms, data controllers must carry out a Data Protection Impact Assessment (DPIA). DPIAs are especially relevant when processing special categories of data, such as health data, biometric data, or employee data.
The controller determines whether a DPIA is required, oversees the assessment, and acts on its findings. Data processors may support this work, but the obligation to assess and mitigate risk always sits with the controller.
Applying data protection by design and by default
Data controllers must build data protection into their systems and processes from the outset. This includes limiting data collection to what is necessary, applying appropriate access controls, and ensuring privacy-friendly defaults.
Data privacy by design and by default is not a one-time exercise. Controllers must review and adapt their measures as technologies, risks, and processing purposes evolve.
Data processor privacy compliance and contracts
When personal data is processed by third parties, controllers must select processors that provide adequate operations for GDPR compliance. This includes putting Data Processing Agreements (DPAs) in place and defining clear instructions for processing.
Controllers are also expected to monitor third-party processor performance and address issues if compliance standards are not met. These requirements are set out in Art. 28 GDPR, which governs the relationship between data controllers and data processors.
Implementing appropriate technical and organizational measures (TOMs)
Data controllers must implement appropriate technical and organizational measures to protect personal data. These measures should reflect the nature of the data and processing, the risks involved, and the state of the art.
Security, access management, internal policies, and staff training all form part of this obligation. These security measures, often referred to as technical measures under the GDPR, support the security of processing and help protect personal data against unauthorized access, loss, or misuse.
Together, these responsibilities form the foundation of a data controller’s compliance posture under the GDPR.
How to determine if your organization is a controller or processor
Many entities struggle to classify their role under the GDPR because contracts, job titles, and commercial labels don’t always reflect how data is actually used. The most reliable way to determine whether you are a data controller or data processor is to look at your decision-making in practice.
The GDPR focuses on who has real influence over the purpose and key means of processing. Asking the right questions can quickly clarify your role.
Questions to ask to determine data controller vs. processor roles
Who decides the purpose of processing?
If your organization decides why personal data is processed — for example, to deliver a service, analyze user behavior, or run marketing campaigns — you are acting as a data controller. A processor does not set the purpose; it carries out tasks defined by the controller.
Example: A company decides to collect customer email addresses to send product updates. That company is the controller, even if a third-party email platform sends the messages.
Who decides what data is collected?
Choosing which categories of personal data are collected is another strong indicator of controller status. This includes decisions about whether to collect names, contact details, location data, or behavioral information.
Example: If your team decides to collect website usage data for analytics, you are the controller. An analytics provider processing that data on your instructions is the processor.
Who defines retention periods?
Controllers determine how long personal data is kept and when it should be deleted or anonymized. Processors may apply retention rules, but they do not set them independently.
Example: If your organization defines that customer records are stored for five years after the last recorded interaction, you are acting as the controller, even if storage is handled by a cloud provider.
Who selects third parties and tools?
Deciding which vendors, platforms, or integrations are used for processing personal data is typically a controller responsibility. This includes selecting analytics tools, marketing platforms, or payment providers.
Example: Choosing a specific CRM or advertising platform points to controller status, even if another company operates the technology.
Who communicates with users?
Controllers are usually the party that communicates directly with users (or data subjects) about how their data is processed. This includes providing privacy notices, collecting consent, and responding to rights requests.Example: If data subjects contact your organization to ask how their data is used or to exercise their rights, your organization is likely the controller.
Common borderline cases
Some of the most common GDPR compliance mistakes happen in situations where roles feel ambiguous. These borderline cases are especially common in SaaS, marketing, and outsourced services. Below are examples where organizations frequently misclassify themselves, and why getting it right matters.
SaaS platforms (B2B software providers)
Typical confusion
SaaS providers often assume they are always data processors because they provide a platform used by customers.
Correct classification
A SaaS provider is usually a data processor for customer data processed on behalf of clients. However, the same provider is often a data controller for personal data collected through its own website, billing systems, product analytics, or support operations.
Why it matters
Misclassifying these roles can lead to missing privacy notices, unclear lawful bases, or gaps in consent management. Controllers must meet transparency and consent obligations, while processors must follow strict instructions and security requirements.
Marketing agencies managing ad accounts
Typical confusion
Marketing agencies may describe themselves as processors because they act “on behalf of” clients.
Correct classification
In many cases, agencies act as data controllers or joint controllers, especially when they decide targeting criteria, campaign strategy, or data sources. If the agency determines how personal data is used in campaigns, it is not acting purely as a processor.
Why it matters
Controller status brings direct responsibility for GDPR compliance, including lawful basis selection and consent management. This is particularly relevant in GDPR marketing and marketing data protection scenarios where tracking and profiling are involved.
Analytics and attribution tools
Typical confusion
Analytics providers are often assumed to be processors because they supply measurement tools.
Correct classification
The website or app owner is typically the data controller, while the analytics provider may be a processor. However, some analytics services act as controllers for certain data uses, such as product improvement or benchmarking.
Why it matters
Analytics frequently rely on tracking technologies and identifiers. Understanding who controls the data affects consent requirements, disclosures, and configuration choices, especially in contexts involving tracking cookies and tools like Google Analytics.
Payment gateway integrations
Typical confusion
Payment providers are often treated as processors because they handle transactions.
Correct classification
Payment gateways commonly act as independent data controllers for payment and fraud prevention data, while also processing some data on behalf of merchants. The exact role depends on the specific processing activity.
Adding further complexity, financial information is often classified as sensitive under data privacy laws, including the GDPR, thus bringing in more restrictions and requiring additional safeguards for its processing.
Why it matters
Independent controller status means payment providers have their own compliance obligations, while merchants must clearly explain data sharing and roles in their privacy notices.
HR and payroll outsourcing
Typical confusion
Organizations may assume that outsourced HR or payroll providers are always processors.
Correct classification
HR and payroll vendors are usually data processors, but they may become controllers for certain statutory or administrative processing required by law.
Why it matters
Employee data is highly sensitive. Clear role definitions are essential for assigning responsibilities, managing access, and ensuring that data protection measures meet regulatory expectations.
These borderline cases show why GDPR roles cannot be determined by labels alone. Understanding who controls the purpose and main means of processing is critical for managing risk, meeting compliance obligations, and applying the right safeguards.
Joint controllers explained
In some processing activities, more than one organization may influence how and why personal data is used. In these cases, the GDPR recognizes a third role: joint controllers.
What are joint controllers?
Joint controllership exists when two or more parties jointly determine the purpose and the essential means of processing personal data. This does not require equal decision-making power. What matters is that each party has a real influence over the processing decisions.
Joint controllers are different from data processors. A data processor acts only on instructions, while joint controllers share decision-making responsibility at a meaningful level.
When does joint controllership apply?
Joint controllership typically applies when:
- Two or more organizations pursue a shared purpose for processing personal data
- Each party has influence over key decisions, such as what data is collected, how it is used, or how long it is kept
This situation is common in modern digital ecosystems, especially where platforms, partners, and brands collaborate closely.
Joint controllers vs. data processors
The distinction is important:
- Joint controllers together define the purpose and core means of processing and are directly responsible under the GDPR.
- Data processors carry out processing tasks on behalf of a data controller and do not define the purpose or reuse the data for their own objectives.
Confusing these roles can lead to missing contractual arrangements, unclear user disclosures, and increased regulatory risk.
Common examples of joint controllers
Facebook Fan Pages
A well-known example comes from European Union case law involving Facebook Fan Pages. In this case, the page operator and Facebook were considered joint controllers because both influenced how personal data was collected and used for page insights and analytics.
Marketplace platforms
Online marketplaces may act as joint controllers with sellers when both parties influence how customer data is used for transactions, communications, or marketing activities.
Co-branded campaigns
When two brands run a shared campaign and jointly decide how customer data is collected and used, they are often acting as joint controllers.
Legal requirements for joint controllers
Under Art. 26 GDPR of the GDPR, joint controllers must:
- Clearly determine their respective responsibilities for GDPR compliance
- Decide who handles transparency, consent, and data subject rights
- Make the essence of this arrangement available to users
This allocation of responsibilities does not remove liability. Individuals can still exercise their rights against any of the joint controllers involved.
Transparency to users
Transparency is especially important in joint controllership scenarios. Users must be informed that multiple parties are involved, understand who does what, and know where to direct questions or requests. Clear disclosures help reduce confusion and demonstrate accountability.
Joint controllership arrangements are a common feature of modern data processing and require careful documentation to meet GDPR expectations.
If you act as a GDPR data controller, compliance depends on having the right foundations in place and being able to demonstrate them. This checklist provides a practical way to assess your compliance posture and highlights where dedicated tools and workflows can reduce risk and manual effort.
- Identify your role for each processing activity.
- Determine whether you are acting as a data controller, joint controller, or processor for every use of personal data. (Remember that roles can vary depending on the context.)
- Document your lawful basis/bases.
- Record the lawful basis for each processing activity and ensure it aligns with how data is actually used. Be prepared to explain and justify these choices.
- Maintain clear, accurate, up-to-date privacy notices.
- Keep privacy notices aligned with the technologies currently in use and the real processing activities, including data sharing, retention periods, and user rights.
- Execute Data Processing Agreements (DPAs).
- Put DPAs in place with all processors and confirm that responsibilities, security measures, and instructions are clearly defined.
- Maintain comprehensive consent records over time.
- Where consent is required, ensure that it is obtained in a valid, documented way and is easy to withdraw. Records should be accessible for audits and regulatory reviews.
- Enable data subject rights workflows so rights requests can be fulfilled within the required timelines.
- Have clear processes for handling access, deletion, correction, and objection requests within GDPR timelines.
- Review vendors and processing regularly.
- Assess processors, tools, and integrations on an ongoing basis to confirm they continue to meet GDPR requirements.
How data controllers manage consent effectively
For many organizations, consent is one of the most visible and high-risk areas of GDPR compliance. Under the GDPR, consent is always a data controller responsibility, even when third-party tools are used to collect or manage it. Controllers must decide when consent is required, what it covers, how it is recorded, and remain accountable for the outcome.
This is why many controllers rely on dedicated consent management tools, while still retaining ownership of consent decisions and user experience.
Consent management platform (CMP) requirements for data controllers
Consent management platforms help controllers operationalize consent requirements at scale. To support GDPR compliance, a CMP should enable the following capabilities.
Granular consent choices
Users must be able to make specific, informed choices about how their personal data is used, rather than being forced into all-or-nothing decisions or denied real choice.
Automatic blocking of scripts
Tracking technologies and cookies should be blocked by default until valid consent is given via the cookie consent banner. This is especially important for marketing, analytics, and advertising use cases.
Consent record-keeping
Controllers must be able to demonstrate when and how consent was obtained, as well as what information the user was shown at that time. Changes to a user’s consent choices over time also need to be logged. A CMP should automatically log consent choices and make them available for audits or regulatory reviews.
Multi-region compliance support
Organizations operating across regions need to account for overlapping privacy laws. A CMP should support compliance with frameworks such as the GDPR, CCPA, and LGPD without fragmenting user experience or workflows.
Consent aligned with marketing use cases
Consent signals should integrate cleanly with marketing tools and strategies to support compliant activation and facilitate consent-based marketing, especially over time as your company grows.
Server-side and advanced consent approaches
As data ecosystems become more complex, many controllers are moving beyond browser-based consent alone.
Google Consent Mode enables consent signals to be passed to tags and platforms in a structured way, helping controllers adjust data collection behavior based on user choices.
Server-side tagging further strengthens control by shifting data processing away from the browser and into a controlled server environment. This approach can:
- Reduce unintended data sharing
- Improve governance over third-party requests
- Limit data leakage before consent is applied
Together, these approaches help data controllers maintain effective consent management while adapting to evolving privacy expectations and technical requirements.
Enforcement trends for data controllers
GDPR enforcement activity shows a consistent pattern: regulators focus on data controllers first. Under Art. 24 GDPR, controllers carry primary responsibility for compliance, including implementing appropriate technical and organisational measures. The biggest GDPR penalty in history was the EUR 1.2 billion fine presented to Meta Platforms Ireland Ltd. (acting as the data controller for Facebook in the EU) in May 2023.
Supervisory authorities in each EU Member State — also known as data protection authorities — typically focus enforcement efforts on data controllers first, especially when systemic issues affect users’ rights.
Common enforcement triggers
Regulatory investigations are often triggered by invalid consent, poor transparency, or data breaches that expose personal data due to insufficient safeguards.
Invalid or missing consent
Consent that is bundled, unclear, or collected after processing has already begun remains a frequent cause of enforcement actions. Controllers are expected to prove that consent was explicit, freely given, informed, and properly recorded.
In 2019, France’s data protection authority (CNIL) fined Google EUR 50 million after finding that consent for personalized ads was bundled, insufficiently specific, and not clearly informed, making it invalid under the GDPR.
Poor transparency
Outdated or incomplete privacy notices are another common trigger. When disclosures do not accurately reflect real and current data practices, regulators view this as a failure of accountability.
In 2021, WhatsApp was fined EUR 225 million after regulators found its privacy notices failed to accurately and transparently reflect how personal data was processed and shared, breaching GDPR accountability and transparency obligations.
Vendor and processor mismanagement
Using third parties without proper agreements, oversight, or safeguards can expose controllers to risk. Even when a processor is responsible for an error, the controller may still face enforcement action if governance is deemed to be lacking.
One example is the British Airways case in 2020, where the UK ICO fined the controller GBP 20 million despite the breach involving third-party code, finding that inadequate oversight and governance exposed customers’ data.
Why documentation matters
Across enforcement cases, one theme stands out: the ability to demonstrate compliance. The GDPR itself explicitly states “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)” – Art. 5(2) GDPR.
Additionally, UK ICO enforcement summaries consistently show that penalties aren’t just driven by what went wrong, but by whether organisations could demonstrate compliance through clear documentation, governance, and risk-based decision-making.
Regulators not only assess what measures are in place, but whether controllers can show how decisions were made and implemented.
Clear records of lawful bases, consent, processor agreements, and risk assessments help reduce uncertainty during audits and investigations. They also make it easier to identify and fix gaps before they lead to penalties.For an overview of enforcement outcomes and consequences, see our overview on GDPR penalties.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
