Data rarely sits still in an organization. It flows constantly from your business to service providers, cloud platforms, marketing partners, and other external vendors.
Each organization along the chain may collect, store, or process personal data for distinct purposes, adding layers of responsibility and complexity.
The General Data Protection Regulation (GDPR) helps untangle this complexity by assigning clear roles: data controllers and data processors. But in practice, the boundary isn’t always obvious. A company may control some decisions, follow another organization’s instructions for other workflows, or even operate in both capacities simultaneously.
This article explains how to recognize the functional differences between GDPR controllers vs processors, how these roles show up in real workflows, and how to classify your organization with confidence.
At a glance
- Under the GDPR, a data controller decides why and how personal data is processed, shaping overall data strategy, while a data processor carries out data handling on the controller’s instructions.
- Both controllers and processors are directly subject to GDPR, but controllers hold primary accountability for lawful basis, transparency, and vendor oversight.
- Controllers define what data is collected, how long it is kept, and for what purposes, while processors carry out operations like storage or analysis within those parameters.
- Many organizations act as both controllers and processors depending on the context, so they must assess each processing activity separately.
- Usercentrics helps both controllers and processors simplify GDPR compliance by centralizing consent management.
GDPR definitions of data processors and controllers
GDPR principles lay out clear criteria for controllers and processors, and those definitions shape responsibilities for each role.
What is a data controller?
According to Art. 4 GDPR, a data controller is a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
Beyond deciding the purpose and means of data processing, a data controller “shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with [the] Regulation,” per Art. 24 GDPR.
Being a data controller also involves making strategic choices about technology and partnerships. For example, choosing which analytics platform to use, selecting a cloud provider, or determining which marketing automation tools will process personal data all fall under the controller’s responsibility.
What is a data processor?
Art. 4 GDPR states that a data processor is a “natural or legal person, public authority, agency or other body which processes personal data on behalf of [a] controller.” They often specialize in specific functions, such as hosting, cloud storage, analytics, marketing automation, or customer support.
Controllers must also provide “sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of [the] Regulation and ensure the protection of the rights of the data subject” according to Art. 28 GDPR.
In other words, processors are responsible for ensuring that personal data is handled according to the controller’s instructions and that operational safeguards are in place to protect the data.
So while the controllers define the why and how, the processors focus on the operational aspects of data handling. This role often shows up where businesses rely on multiple vendors, cloud providers, and service platforms to process information securely and efficiently.
Is the GDPR applicable to both data controllers and processors?
The GDPR applies to both data controllers and data processors, and both are accountable for ensuring that they manage personal data lawfully, securely, and transparently.
However, the regulation recognizes that the responsibilities of each role are different, reflecting the distinct ways in which each player interacts with personal data.
Data controllers are responsible for the strategic decisions regarding how to handle personal data. Their obligations focus on:
Establishing a lawful basis for collecting and processing data
Defining the purpose, scope, and duration of data use
Ensuring transparency by informing data subjects about how their data will be used
Selecting third-party processors and monitoring their compliance with GDPR requirements
Conducting risk assessments, following data protection principles and carrying out Data Protection Impact Assessments (DPIAs) when required
Data processors, by contrast, carry out data processing on behalf of a controller and are responsible for following instructions and guidelines. They also have their own obligations under the GDPR, which include:
Implementing robust technical and organizational measures to protect personal data from breaches or misuse
Maintaining Records of Processing Activities (ROPAs) to demonstrate accountability
Assisting the data controller with requests from data subjects, such as access, correction, or deletion of data
Promptly reporting any personal data breaches or incidents to the data controller
What is the difference between a data controller and a processor?
While controllers and processors work together in the data lifecycle, their roles are fundamentally different. Here’s a quick breakdown of how they differ in responsibility, authority, and accountability.
| Data controller | Data processor | |
| Definition | Entity that determines the purposes and means of personal data processing. | Entity that processes personal data on behalf of the controller, following their instructions. |
| Key responsibilities | Decide why and how data is processedEnsure lawful processingManage consentOversee processorsManage and demonstrate compliance | Process data only per controller instructionsKeep data secure Assist data controller with GDPR obligationsKeep records of processing |
| Data handling | Defines what data is collected, the retention period, and the processing methods. | Executes operations like storage, analysis, or transmission according to the controller’s specifications. |
| Liability | Primary accountability for compliance; can be fined for breaches of GDPR obligations. | Liable if they act outside of the instructions of the controller or fail to comply with GDPR obligations for processors. |
| Transparency | Must inform data subjects about data collection, purpose, retention, and rights. | Supports the data controller in providing information; typically does not communicate directly with data subjects. |
| RoPAs | Must maintain comprehensive RoPA covering all processing activities under their responsibility. | Must maintain records of processing carried out for each data controller, including duration, categories, and security measures. |
| DPIAs | Required to conduct DPIAs for high-risk processing activities. | Assists the data controller with DPIAs, providing necessary information and support. |
| Data breaches | Responsible for notifying supervisory authorities and affected individuals when required. | Must inform the data controller without delay upon becoming aware of a personal data breach. |
| Legal reference | Art. 4(7) GDPR, Art. 24 GDPR, Art. 26 GDPR | Art. 4(8) GDPR, Art. 28 GDPR, Art. 29 GDPR |
| Example | A SaaS platform that collects customer information to manage accounts, subscriptions, and email lists. | A payment gateway that processes credit card transactions and stores payment information per the SaaS platform’s instructions. |
What is an example of a data controller and processor?
Consider an e-commerce company that collects customer data for various purposes, from processing orders and managing accounts to running marketing campaigns. This data might include customer billing and shipping information, payment details, and information about customer behavior.
In this case, the e-commerce company is a data controller. It decides what data to collect, why it’s needed, how long it’s retained, and which analytics tools or third-party services can process the data. The company is responsible for obtaining consent, managing user rights, and ensuring GDPR compliance across the organization.
But perhaps they use an email marketing agency that manages their newsletter and email campaigns. This agency would be considered a data processor in this scenario. It’s obligated to follow the company’s instructions, implement security measures, maintain processing records, and notify the e-commerce company in case of a data breach.
How do I know if I am a data controller or processor?
Data processor and controller responsibilities often overlap in complex data operations. The key question is simple: Who is responsible for GDPR compliance?
Here’s a checklist to help clarify your role:
You’re a data controller if your organization:
Decides why personal data is collected (purposes and legal basis)
Determines how personal data is processed and stored
Sets the scope, retention periods, and processing methods
Instructs vendors, partners, or tools on how to handle data
Is responsible for obtaining consent and managing data subject rights
Oversees third-party processors to ensure GDPR compliance
Communicates directly with individuals about how their data is used
You’re a data processor if your organization:
Processes personal data on behalf of another party
Does not determine the purpose or means of processing
Follows instructions provided by the data controller
Implements security measures as required by the data controller
Assists the data controller in handling data subject requests or audits
Maintains records of processing activities for the data controller
Notifies the data controller in the event of a personal data breach
Can a company be both a controller and a processor?
It’s possible, and quite common, for an organization to act as both a data controller and a data processor, depending on the context and the data involved. But this dual role can introduce additional compliance complexity.
To manage the different responsibilities, potential liabilities, and risk exposures effectively, organizations must:
Assess each dataset and activity individually to determine whether controller or processor obligations apply
Implement policies and procedures that clearly reflect the role for each processing activity
Maintain separate documentation, such as RoPAs and DPAs, for activities performed as a controller vs. those performed as a data processor
Conduct ongoing risk assessments to demonstrate compliance and ensure that obligations are met for both roles
If multiple organizations work together and jointly decide why and how personal data is processed, they may fall under joint controllership, where responsibilities are shared and must be clearly divided in a joint controller arrangement.
Simplified GDPR compliance for both data controllers and processors
The roles of data controller and processor both carry obligations that, if ignored, can have serious operational and legal consequences.
Whether you act as a controller, processor, or both, you need to understand the steps for maintaining GDPR requirements, from what qualifies as valid consent to how to document your processing activities.
Usercentrics helps simplify the process of achieving and maintaining GDPR compliance. The platform centralizes consent management and maintains up-to-date consent records to support organizations in meeting GDPR obligations efficiently.
With Usercentrics, GDPR compliance becomes a manageable, structured process that helps to protect your organization and builds trust with customers.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
