Privacy By Dsign Default

GDPR Data Controller vs. Data Processor Explained

Defining data processing roles within a controller / processor contract requires a deep understanding  of its obligations and liabilities if you  are to make it a success remain compliant.

There is many a conversation taking place  over the responsibilities and accountability of  data controllers and data processors. Both have responsibilities under the GDPR, but their obligations to the regulation  differs. Predominantly, data controllers have more accountability and liability, but processors have new responsibilities and new added layers of liability written into their roles.

I often hear the term “are you a controller or processor”, It’s not as simple of that of course. Although you cannot hold  the controller and processor roles in a single data processing activity, you can if you are a service organisation  hold  the controller role in one process activity and be the processor in another processing activity. Organisations should look at their Data Processing Addendums and SCC Agreements and ensure that they are clear what role in that agreement they hold.

We will  attempt to guide you through the descending mist on the subject in this article.

Stay with us  to find out what areas  of the regulation are relevant and apply  to your operations most and how you need to work together with your partner / vendor to reach and  maintain GDPR compliance.

Definitions of Controller and Processor

data controller is: “a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.”

Data processors process personal data on behalf of the controller in the way instructed by the controller.and that extends to any sub- processor used by the processor..

Here’s an example:

Your online store  captures email addresses and other personal data provided by both store visitors  and store members for sales and marketing purposes. All the data collected is then sent on to Jon Doe  Global Marketing Ltd for the purpose of utilising the information for email marketing, SEO, and social media campaigns.

By providing  both the data and the processing activity instructions, then you are the data controller in the relationship  and Jon Doe Global Marketing Ltd is the data processor.

If you were to  provide the data but delegate to Jon Doe  Global Marketing Ltd the means of processing the data , then you are both data controllers and Jon Doe  Global Marketing Ltd is also the processor.

Why is there so much importance  who provides the “purposes and means of processing?”

The GDPR differentiates  between these roles for compliance purposes. The European Commission’s guidance holds the data controller to be the accountable party responsible for collecting, managing, and providing access to data.

For example, if a data subject exercised their right  to request their data, the controller would access it from their servers or from the processor they contracted to handle the data.

Differing Roles for Controllers and Processors

The GDPR Regulations  distinguishes between controllers and processors for  the purpose of responsibility and accountability. As a result, each receives different assigned roles for GDPR  compliance.

Let’s take more detailed look into  each party’s role according to legislative requirements.

Data Collection

Only data controllers collect personal data from data subjects. As a result of this, data controllers are also responsible for determining their lawful basis to obtain that data.

Data controllers need to establish a lawful basis  for collecting the data using one of the six bases for data collection featured in the GDPR and if the data includes special category data data controllers must also establish a basis for collecting and processing that data using one of  one of the ten basis also featured in the GDPR.

Organisations must also  ensure their process is transparent by creating and publishing  a Privacy Policy on their website that outlines:

  • What data they collect
  • How they store the information
  • How they use the information
  • Whom they share the data with
  • Whether they share the data with third parties
  • When and how they dispose of  the data

As soon as  a data processor becomes involved in  the collection of data, they become a data controller and all of the above responsibilities apply.


Controllers are held  accountable  to only use data processors who follow the legislation. There should be detailed due diligence in the selection process of data processors. This usually takes the form of  a due diligence questionnaire, and could include a data privacy audit. Where there is high risk involved then a DPIA must be carried out as part of the process.

Furthermore , at all times  a data controller and data processor agree to work together, they must use a clearly defined contract to do so. The contract must outline the instructions the processor must follow when processing the data.

Include the following stipulated  GDPR- information in each contract:

  • Nature, purpose, subject, and full timeline of processing plan
  • Controller rights and obligations
  • Categories of data include
  • Categories of data subjects
  • Agreement to adhere to instructions
  • Confidentiality issues
  • Commitment to security and Article 32
  • Terms of hiring sub-processors
  • Evidence of compliance with Article 28
  • Return and disposal of data

The design and  introduction  of a contract is the responsibility of the data controller. Data processors are accountable  by law to follow the instructions provided by the controller.

If the controller fails to outline the required data processing activities  and leaves the methods and means up to the processor, then the processor becomes a  controller in the eyes of the law.

Data processors are not only accountable  to uphold the terms of the contract. They must also inform the controller if something in the terms of the contract contravenes  on any of the GDPR or other legislations.

Codes of Conduct or Certifications

In addition to having a contract, both controllers and processors must agree to a code of conduct or a recognized certification process that specifies how the agreement meets GDPR standards.

Read more about Codes of Conduct in Article 40


The GDPR holds data controllers accountable and responsible  for the collection, use, and disposal of personal data in most cases.

However,  previously  data controllers were already liable under both European legislation and national law.

What’s new in GDPR is the added accountability and liability for data processors.

Under the GDPR , individuals whose data you hold may send queries or complaints to either the data controller or the data processor.

Data processors are liable when they work outside of instructions provided to them by the controller or when they violate the terms of the GDPR.

Both the controller and processor must ensure through sound   security practices that they achieve and maintain  compliance with the GDPR. Each party involved in the contract has an obligation to protect data from:

  • Unauthorized access (both internal and external)
  • Loss of Availability of the data
  • Destruction
  • Accidental loss
  • Disclosure

The GDPR outlines the measures in Article 32 and applies them to both controllers and processors equally.

Agreed security measures must be detailed  in the contract, but the guidance also requires both parties to go one step further.

In addition to using adequate and appropriate security measures, both controllers and processors must adhere to the approved code of conduct or certification mechanism agreed upon.

The code of conduct is outlined in Article 40(2).

Data Protection Impact Assessments

Controllers must use data protection impact assessments whenever they instruct a processor to carry out a high-risk data processing   activity. Each member states Supervisory Authority outlines what it considers to be high-risk activities.

Each Data Protection Impact Assessment (DPIA) must include a minimum of four essential elements:

  1. Description of the purpose of the process and the process itself
  2. Assessment of need for processing
  3. Evaluation of risks
  4. Measures applied to address and minimize risks

When should controllers carry out a data protect impact assessment?

Here are a few instances:

  • Trying out new technologies
  • Carrying out large scale profiling
  • Extensive and systematic profiling
  • Large scale processing of special category data
  • Mixing or matching data from multiple sources
  • Processing children’s data for marketing purposes
  • Processing data that might cause physical harm if breached


Transparency is a crucial goal of the GDPR

Article 5.2 says that data controllers “must be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject.

Transparency should  continue throughout the life of the data from collection to deletion.

Processors aren’t explicitly mentioned within in the text in the article.

Records of Processing Activities

Under Article 30 Data controllers are now required to keep records when the following criteria is met

  • the processing is likely to result in a risk to the rights of affected employees (e.g. scoring, comprehensive monitoring, high risk resulting out of unauthorized disclosure or access, use of new technologies),
  • the processing is not occasional or
  • the processing includes special categories of data as referred to in Article 9 (1) (e.g. health data, biometric data, data related to political or philosophical beliefs) or personal data relating to criminal convictions and offences referred to in Article 10.

These records outline the basis for your data collection and include the details related to:

  • Details of the controller
  • Processing purposes
  • Description of types of data collected
  • Categories of data recipients
  • Data transfers including data transferred to third countries
  • Erasure details
  • Overview of data security measures

Data processors also obligated to  now keep records. Their records relate to the processes controllers ask them to carry out and include:

  • Name and details of processor(s) and controller(s) and Data Protection Officer (if applicable)
  • Categories of processing
  • Data transfers to third countries or international organizations
  • General description of security measures according to Article 32

All records must be both in writing and electronic form and should be ready to present to the Supervisory Authority if and when  requested.

Reporting Data Breaches

Controllers must notify the Supervisory Authority and the data subject whenever a data breach results in the  rights and freedoms of data subjects being put at risk. Reports made to the Supervisory Authority need to be submitted within 72 hours of finding the breach. Minor data breaches that do not require reporting to the Supervisory Authority must be documented in a data breach record.

If a processor finds a security breach, they must notify the relevant controllers impacted by the breach.

Appointing a Data Protection Officer

Both controllers and processors must appoint a Data Protection Officer (DPO) when they work with data and meet one or more of the following criteria:

  • Are a public body
  • Process large scale data requiring regular monitoring
  • Hold special categories of data (including criminal conviction or offense data)

If appointed, a DPO’s role is to:

  • Advise the organization about its role in data protection
  • Monitor compliance with relevant legislation
  • Help with impact assessments
  • Work with relevant Supervisory Authorities

The DPO can be an internally appointed of outsourced to a DPO service provider.


Both data controllers and data processors have different obligations under the GDPR, but you’ll also find that their roles complement each other  in reaching the goals of transparency and accountability.

Data controllers perform much of the regulatory resource intensive duties , while processors play a more prescriptive role. However, they both have new liabilities under the law that makes it essential  for each to uphold their end of the contract . Working together promotes compliance and helps both parties avoid the new, hefty fines that come with violating the rules.

Relentless Data Privacy provide a full range of services and our new soon to be launched GDPR 24/7 platform where all of the above can be achieved in one place.

Sharing is caring!

error: Content is protected !!