# [GDPR controller vs processor: roles, responsibilities, and compliance obligations](https://usercentrics.com/knowledge-hub/gdpr-controller-vs-processor/) **GDPR compliance starts with knowing how the law applies to your business. This article explains the difference between controllers and processors under the regulation, outlines the responsibilities of each, and demonstrates how to navigate dual roles.** [Download checklist](https://usercentrics.com/resources/gdpr-checklist/) · [Learn more](https://usercentrics.com/gdpr/) *Author: Tilman Harmeling — Read time: 7 mins — Published: Jan 15, 2026* --- Data rarely sits still in an organization. It flows constantly from your business to service providers, cloud platforms, marketing partners, and other external vendors. Each organization along the chain may collect, store, or process personal data for distinct purposes, adding layers of responsibility and complexity. The General Data Protection Regulation (GDPR) helps untangle this complexity by assigning clear roles: data controllers and data processors. But in practice, the boundary isn't always obvious. A company may control some decisions, follow another organization's instructions for other workflows, or even operate in both capacities simultaneously. This article explains how to recognize the functional differences between GDPR controllers vs processors, how these roles show up in real workflows, and how to classify your organization with confidence. ### At a glance - Under the GDPR, a data controller decides why and how personal data is processed, shaping overall data strategy, while a data processor carries out data handling on the controller's instructions. - Both controllers and processors are directly subject to GDPR, but controllers hold primary accountability for lawful basis, transparency, and vendor oversight. - Controllers define what data is collected, how long it is kept, and for what purposes, while processors carry out operations like storage or analysis within those parameters. - Many organizations act as both controllers and processors depending on the context, so they must assess each processing activity separately. - Usercentrics helps both controllers and processors simplify GDPR compliance by centralizing consent management. --- ## GDPR definitions of data processors and controllers [GDPR principles](https://usercentrics.com/knowledge-hub/principles-of-gdpr/) lay out clear criteria for controllers and processors, and those definitions shape responsibilities for each role. ### What is a data controller? According to [Art. 4 GDPR](https://gdpr.eu/article-4-definitions/), a data controller is a "natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data". Beyond deciding the purpose and means of data processing, a data controller "shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with [the] Regulation," per [Art. 24 GDPR](https://gdpr.eu/article-24-responsibility-of-the-data-controller/). Being a data controller also involves making strategic choices about technology and partnerships. For example, choosing which analytics platform to use, selecting a cloud provider, or determining which marketing automation tools will process personal data all fall under the controller's responsibility. ### What is a data processor? [Art. 4 GDPR](https://gdpr.eu/article-4-definitions/) states that a data processor is a "natural or legal person, public authority, agency or other body which processes personal data on behalf of [a] controller." They often specialize in specific functions, such as hosting, cloud storage, analytics, marketing automation, or customer support. Controllers must also provide "sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of [the] Regulation and ensure the protection of the rights of the data subject" according to [Art. 28 GDPR](https://gdpr.eu/article-28-processor/). In other words, processors are responsible for ensuring that personal data is handled according to the controller's instructions and that operational safeguards are in place to protect the data. So while the controllers define the why and how, the processors focus on the operational aspects of data handling. This role often shows up where businesses rely on multiple vendors, cloud providers, and service platforms to process information securely and efficiently. --- ## Is the GDPR applicable to both data controllers and processors? The GDPR applies to both data controllers and data processors, and both are accountable for ensuring that they manage personal data lawfully, securely, and transparently. However, the regulation recognizes that the responsibilities of each role are different, reflecting the distinct ways in which each player interacts with personal data. Data controllers are responsible for the strategic decisions regarding how to handle personal data. Their obligations focus on: - Establishing a lawful basis for collecting and processing data - Defining the purpose, scope, and duration of data use - Ensuring transparency by informing data subjects about how their data will be used - Selecting third-party processors and monitoring their compliance with GDPR requirements - Conducting risk assessments, following data protection principles and carrying out [Data Protection Impact Assessments (DPIAs)](https://usercentrics.com/knowledge-hub/data-protection-impact-assessment-dpia/) when required Data processors, by contrast, carry out data processing on behalf of a controller and are responsible for following instructions and guidelines. They also have their own obligations under the GDPR, which include: - Implementing robust technical and organizational measures to protect personal data from breaches or misuse - Maintaining [Records of Processing Activities (ROPAs)](https://usercentrics.com/knowledge-hub/ropa/) to demonstrate accountability - Assisting the data controller with requests from data subjects, such as access, correction, or deletion of data - Promptly reporting any personal data breaches or incidents to the data controller --- ## What is the difference between a data controller and a processor? While controllers and processors work together in the data lifecycle, their roles are fundamentally different. Here's a quick breakdown of how they differ in responsibility, authority, and accountability. | | **Data controller** | **Data processor** | | --- | --- | --- | | **Definition** | Entity that determines the purposes and means of personal data processing. | Entity that processes personal data on behalf of the controller, following their instructions. | | **Key responsibilities** | Decide why and how data is processed; Ensure lawful processing; Manage consent; Oversee processors; Manage and demonstrate compliance | Process data only per controller instructions; Keep data secure; Assist data controller with GDPR obligations; Keep records of processing | | **Data handling** | Defines what data is collected, the retention period, and the processing methods. | Executes operations like storage, analysis, or transmission according to the controller's specifications. | | **Liability** | Primary accountability for compliance; can be fined for breaches of GDPR obligations. | Liable if they act outside of the instructions of the controller or fail to comply with GDPR obligations for processors. | | **Transparency** | Must inform data subjects about data collection, purpose, retention, and rights. | Supports the data controller in providing information; typically does not communicate directly with data subjects. | | **RoPAs** | Must maintain comprehensive RoPA covering all processing activities under their responsibility. | Must maintain records of processing carried out for each data controller, including duration, categories, and security measures. | | **DPIAs** | Required to conduct DPIAs for high-risk processing activities. | Assists the data controller with DPIAs, providing necessary information and support. | | **Data breaches** | Responsible for notifying supervisory authorities and affected individuals when required. | Must inform the data controller without delay upon becoming aware of a personal data breach. | | **Legal reference** | [Art. 4(7) GDPR](https://gdpr.eu/article-4-definitions/), [Art. 24 GDPR](https://gdpr.eu/article-24-responsibility-of-the-data-controller/), [Art. 26 GDPR](https://gdpr.eu/article-26-joint-controllers/) | [Art. 4(8) GDPR](https://gdpr.eu/article-4-definitions/), [Art. 28 GDPR](https://gdpr.eu/article-28-processor/), [Art. 29 GDPR](https://gdpr.eu/article-29-processing-under-controller-or-processor/) | | **Example** | A SaaS platform that collects customer information to manage accounts, subscriptions, and email lists. | A payment gateway that processes credit card transactions and stores payment information per the SaaS platform's instructions. | ### What is an example of a data controller and processor? Consider an e-commerce company that collects customer data for various purposes, from processing orders and managing accounts to running marketing campaigns. This data might include customer billing and shipping information, payment details, and information about customer behavior. In this case, the e-commerce company is a data controller. It decides what data to collect, why it's needed, how long it's retained, and which analytics tools or third-party services can process the data. The company is responsible for obtaining consent, managing user rights, and ensuring GDPR compliance across the organization. But perhaps they use an email marketing agency that manages their newsletter and email campaigns. This agency would be considered a data processor in this scenario. It's obligated to follow the company's instructions, implement security measures, maintain processing records, and notify the e-commerce company in case of a data breach. --- ## How do I know if I am a data controller or processor? Data processor and controller responsibilities often overlap in complex data operations. The key question is simple: [Who is responsible for GDPR compliance?](https://usercentrics.com/knowledge-hub/who-is-responsible-for-gdpr-compliance/) Here's a checklist to help clarify your role: **You're a data controller if your organization:** - Decides why personal data is collected (purposes and legal basis) - Determines how personal data is processed and stored - Sets the scope, retention periods, and processing methods - Instructs vendors, partners, or tools on how to handle data - Is responsible for obtaining consent and managing data subject rights - Oversees third-party processors to ensure GDPR compliance - Communicates directly with individuals about how their data is used **You're a data processor if your organization:** - Processes personal data on behalf of another party - Does not determine the purpose or means of processing - Follows instructions provided by the data controller - Implements security measures as required by the data controller - Assists the data controller in handling data subject requests or audits - Maintains records of processing activities for the data controller - Notifies the data controller in the event of a personal data breach ### Can a company be both a controller and a processor? It's possible, and quite common, for an organization to act as both a data controller and a data processor, depending on the context and the data involved. But this dual role can introduce additional compliance complexity. **To manage the different responsibilities, potential liabilities, and risk exposures effectively, organizations must:** - Assess each dataset and activity individually to determine whether controller or processor obligations apply - Implement policies and procedures that clearly reflect the role for each processing activity - Maintain separate documentation, such as RoPAs and [DPAs](https://usercentrics.com/knowledge-hub/what-is-dpa-data-processing-agreement/), for activities performed as a controller vs. those performed as a data processor - Conduct ongoing risk assessments to demonstrate compliance and ensure that obligations are met for both roles If multiple organizations work together and jointly decide why and how personal data is processed, they may fall under [joint controllership](https://usercentrics.com/knowledge-hub/joint-controllership-and-gdpr/), where responsibilities are shared and must be clearly divided in a joint controller arrangement. --- ## Simplified GDPR compliance for both data controllers and processors The roles of data controller and processor both carry obligations that, if ignored, can have serious operational and legal consequences. Whether you act as a controller, processor, or both, you need to understand the steps for maintaining [GDPR requirements](https://usercentrics.com/knowledge-hub/the-eu-general-data-protection-regulation/), from what qualifies as valid consent to how to document your processing activities. Usercentrics helps simplify the process of achieving and maintaining GDPR compliance. The platform centralizes consent management and maintains up-to-date consent records to support organizations in meeting GDPR obligations efficiently. With Usercentrics, GDPR compliance becomes a manageable, structured process that helps to protect your organization and builds trust with customers. --- ## Frequently asked questions ### What does a data processor do under the GDPR? Under the GDPR, a data processor processes personal data on behalf of a data controller and only according to the controller's documented instructions. Processors typically provide services such as hosting, analytics, payroll, or consent management, and must apply appropriate technical and organizational measures to help protect personal data and support compliance obligations. ### Who are GDPR data controllers? Data controllers are organizations or individuals that determine the purposes and means of processing personal data under the GDPR. In practice, this means they decide why personal data is collected and how it is used. Controllers are primarily responsible for meeting GDPR requirements, including establishing a lawful basis for processing and respecting data subject rights. ### What is a joint controller under the GDPR? Joint controllers are two or more entities that jointly determine the purposes and means of processing personal data. Under the GDPR, joint controllers must clearly define their respective responsibilities — typically in an agreement — and make the essence of that arrangement available to data subjects to support transparency and accountability. --- ## Products - [Usercentrics Web CMP](https://usercentrics.com/website-consent-management/) - [Usercentrics App CMP](https://usercentrics.com/in-app-sdk/) - [Usercentrics CTV CMP](https://usercentrics.com/usercentrics-ctv-cmp/) - [Privacy Policy Generator](https://usercentrics.com/privacy-policy-generator/) - [Server-side Tagging Solution](https://usercentrics.com/server-side-tracking-solution/) - [Preference Manager](https://usercentrics.com/preference-management/) - [Audience Unlocker](https://usercentrics.com/audience-unlocker/) - [Integrations](https://usercentrics.com/integrations/) - [Web Compliance Scan](https://usercentrics.com/privacy-compliance-scanner/) - [App Compliance Scan](https://usercentrics.com/app-data-privacy-audit/) - [ROAS Calculator](https://usercentrics.com/roas-calculator/) ## Solutions - [Data Privacy Regulatory Compliance](https://usercentrics.com/data-privacy-regulatory-compliance/) - [Marketing Performance Optimization](https://usercentrics.com/marketing-performance-optimization/) - [Migration](https://usercentrics.com/migration/) - [Media & Publishing](https://usercentrics.com/media-publishing/) - [Retail & Ecommerce](https://usercentrics.com/retail-ecommerce/) - [Banking, Finance & Insurance](https://usercentrics.com/banking-finance-insurance/) - [Healthcare & Pharmaceuticals](https://usercentrics.com/healthcare-pharmaceuticals/) - [Gaming](https://usercentrics.com/gaming/) - [Education](https://usercentrics.com/education/) - [Automotive](https://usercentrics.com/automotive/) - [Travel & Hospitality](https://usercentrics.com/travel/) ## Regulations & Frameworks - [GDPR (EU)](https://usercentrics.com/gdpr/) - [GDPR (UK)](https://usercentrics.com/uk-gdpr/) - [CCPA (California)](https://usercentrics.com/ccpa/) - [TCF v2.3 (IAB)](https://usercentrics.com/cmp-for-publishers/) - [DMA (EU)](https://usercentrics.com/digital-markets-act-dma/) - [Amazon Consent Signal](https://usercentrics.com/usercentrics-cmp-and-amazon-consent-signal/) - [Google Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-google-consent-mode-v2/) - [Microsoft UET Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-microsoft-consent-mode/) - [Microsoft Clarity Consent Mode](https://usercentrics.com/usercentrics-cmp-and-microsoft-clarity-consent-mode/) - [View all regulations](https://usercentrics.com/regulations-and-frameworks/) ## Resources - [Blog](https://usercentrics.com/knowledge-hub/) - [Whitepapers](https://usercentrics.com/whitepapers/) - [Checklists](https://usercentrics.com/checklists/) - [Courses](https://courses.usercentrics.com/) - [Case Studies](https://usercentrics.com/case-studies/) - [Privacy-Led Marketing](https://usercentrics.com/privacy-led-marketing/) - [Events](https://usercentrics.com/webinar/) - [CONSENTED Podcast](https://usercentrics.com/consented/) - [Guides](https://usercentrics.com/guides/) - [Release Notes](https://releases.usercentrics.com/en) - [Developer Documentation](https://usercentrics.com/docs/) - [RFI Template](https://usercentrics.com/resources/usercentrics-rfi-template/) - [Customer Directory](https://usercentrics.com/usercentrics-customer-directory/) ## Company - [About Us](https://usercentrics.com/about-us/) - [Press](https://usercentrics.com/press/) - [Our Offices](https://usercentrics.com/contact/) - [Trust Center](https://trust.usercentrics.com/) - [Careers](https://usercentrics.com/career/) - [Open Positions](https://apply.workable.com/usercentrics/) - [Diversity & Inclusion](https://usercentrics.com/dei/) ## Support - [General Support](https://support.usercentrics.com/hc/en-us) - [Contact Sales](https://usercentrics.com/book-a-consultation/) - [Technical Support](https://support.usercentrics.com/hc/en-us/requests/new) - [Billing & Account](https://support.usercentrics.com/hc/en-us/categories/12253804608156-Account-and-billing) - [Suggest a Feature](https://support.usercentrics.com/hc/en-us/requests/new?ticket_form_id=10610312381340) - [Partner Login](https://partnerportal.usercentrics.com/) - [Partner Program](https://usercentrics.com/partner-program-overview/) - [Affiliate Program](https://usercentrics.com/affiliates/) ## Legal - [Terms & Conditions](https://usercentrics.com/terms-and-conditions/) - [Terms & Conditions USA](https://usercentrics.com/terms-and-conditions-usa/) - [Privacy Policy](https://usercentrics.com/privacy-policy/) - [Legal Notice](https://usercentrics.com/legal-notice/) - [Legal Documents](https://usercentrics.com/legal-documents/) - [Accessibility Statement](https://usercentrics.com/accessibility-statement-wcag-compliance/) © 2026 Usercentrics GmbH