Home Blog Controller vs processor: Key differences in GDPR data handling roles

GDPR

Controller vs processor: Key differences in GDPR data handling roles

Posted by Kevin Yun|October 31, 2025

The General Data Protection Regulation has fundamentally changed how organizations handle personal data. But here's where it gets interesting (and slightly confusing): not every company processing data has the same responsibilities.

The GDPR creates a clear distinction between controllers and processors, each carrying different obligations and liabilities. This isn't just legal jargon - it's a practical framework that determines who's responsible for what when things go wrong.

Table of contents

What makes someone a data controller?

A controller isn’t just someone who collects data. The GDPR defines a controller as any natural or legal person, public authority, agency, or other body that determines the purposes and means of processing personal data; in practice, that means a data controller, or GDPR data controller, is the party responsible for those choices. Translation: if you decide why and how personal data gets processed, the data controller determines the purposes and means of the processing of personal data.

Controllers hold the reins. They make the big decisions about data collection, storage, usage, and disposal. When a hospital decides to implement an automated system for patient notifications using a digital screen, it’s acting as a controller because it sets both the purpose and the means. If that system directs a patient to a consulting room, the hospital still remains responsible, including for accessibility needs affecting visually impaired patients.

But it’s not always straightforward. Controllers can be individuals, companies, government agencies, partnerships, or a legal entity, and in some cases another legal entity may be the controller if it makes the key decisions. The key factor is decision-making authority, not size or legal structure.

The controller role centers on control and decision-making. The data controller decides these core issues because the data controller determines how personal data processing will happen:

  • What personal data to collect
  • Why they need it
  • How long to keep it
  • Who can access it
  • When to delete it

This decision-making power comes with significant responsibility. Controllers must demonstrate compliance with GDPR data protection principles and protect data privacy through appropriate technical and organizational measures.

Statutory obligations and controllers

Some organizations become controllers because of a statutory obligation rather than choice. Section 6(2) of the Data Protection Act 2018 clarifies that entities processing data solely to comply with statutory obligations still qualify as controllers. They might not have chosen to process the data, but they’re still deciding how to fulfill such an obligation, including when the law requires sharing information with other authorities.

Understanding processors in processing personal data operations

A data processor operates in a different space entirely. The processor acts on behalf of the controller, following instructions rather than making independent decisions about data use. Think of them as skilled contractors hired to perform specific data-related tasks.

A processor’s relationship to personal data processing is fundamentally different from a controller’s. They don’t own the data or determine its ultimate purpose. Instead, they provide services that involve handling personal data according to the controller’s specifications.

The instruction-following principle

Article 29 of the GDPR establishes that processors should only process personal data following the controller's instructions, unless required by law to do otherwise. This creates a clear hierarchy: controllers give orders, and processors must follow the data controller's instructions.

When a gym hires a printing company to produce event invitations using member data, the printer acts as a processor. The gym (controller) determines the purpose (event promotion) and provides specific instructions about how to use the member names and addresses. The printer simply executes the gym's instructions.

When processors become controllers

Here's where things get tricky. If a processor starts making decisions about data processing beyond the controller's instructions, they risk becoming a controller themselves. This can happen accidentally when processors exceed their authority or make independent decisions about data use.

The transformation isn't always obvious. A processor might start as a service provider but gradually take on more decision-making responsibilities, shifting their legal status without realizing it.

Joint controllers: When responsibility gets shared

Sometimes multiple parties share decision-making authority over the same data processing activities. The GDPR recognizes this reality through the concept of joint controllers - organizations that jointly determine the purposes and means of processing.

Joint controllers must have shared or complementary purposes for processing. Simply processing the same data isn't enough; they need to be working together toward common goals or making collective decisions about how data gets handled.

Identifying joint controller relationships

Joint controller relationships often emerge in:

  • Business partnerships where companies share customer data
  • Research collaborations involving participant information
  • Marketing campaigns run by multiple organizations
  • Platform integrations where both parties influence data processing

Sometimes multiple parties share decision-making authority and may be considered joint controllers when they jointly determine the purposes and means of processing. The key question is whether both parties have meaningful input into the purposes and means of processing. If yes, they’re likely joint controllers and may be considered joint controllers.

Responsibilities and arrangements

Joint controllers must establish clear arrangements defining their respective responsibilities, particularly regarding individual rights and information obligations. This isn't just good practice - it's a legal requirement under Article 26 of the GDPR.

Sub processor and the chain of responsibility

Processors don’t always handle everything in-house. They might use a sub contract alongside subcontracting some or all of the processing to other processors, creating a chain of data handling relationships. While the GDPR doesn’t use the term “sub-processor,” it’s common industry shorthand for this arrangement.

Sub-processing creates additional complexity in the controller-processor relationship. The original processor remains responsible to the controller, but they’re now relying on another party to fulfill their obligations and must pass equivalent data protection obligations down the chain so the downstream processor protects the data in the same way required under the main controller-processor arrangement.

Authorization requirements

Processors can't just hire sub-processors without permission. They need either specific authorization from the controller for each sub-processor or general authorization with notification requirements when new sub-processors are added.

This authorization process protects controllers' interests while giving processors operational flexibility. It also maintains the chain of responsibility - controllers know who's handling their data, even when it passes through multiple processors.

The GDPR assigns different responsibilities to controllers and processors, reflecting their different roles in data processing operations.

Controller obligations

Controllers carry the heaviest compliance burden. They must:

  • Implement data protection by design and by default
  • Maintain records of processing activities
  • Conduct data protection impact assessments when required
  • Appoint a data protection officer in certain circumstances
  • Handle data subject requests
  • Report data breaches to supervisory authorities
  • Demonstrate compliance with GDPR principles

Controllers also bear primary liability for GDPR violations, facing potential fines up to 4% of annual global turnover or €20 million, whichever is higher, and those operating as joint or independent controllers need to understand how GDPR controller liability for joint vs independent roles affects their risk exposure.

Processor obligations

Processors have more limited but still significant responsibilities. They must:

  • Process data only on documented instructions from the controller
  • Ensure personnel handling data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist controllers with data subject requests and compliance demonstrations
  • Treat notifying data breaches to the controller without undue delay as part of the processor's duties
  • Delete or return personal data when processing ends

Processors can also face direct fines for certain violations, particularly those related to security measures or unauthorized processing, because these duties arise from acting under the controller's authority.

Real-world scenarios and examples

Understanding controller and processor roles becomes clearer through practical examples. Consider these common business situations:

E-commerce operations

An online retailer collects customer data during purchases. They use a third-party warehouse for fulfillment, sharing customer names and addresses for shipping purposes. The retailer is the controller - they determine why customer data is collected and how it's used. The warehouse is a processor, handling the data according to the retailer's instructions for order fulfillment, and similar principles apply when implementing Shopify GDPR compliance across ecommerce SaaS stores.

Marketing campaigns

A software company hires a marketing agency to run email campaigns using their customer database. The relationship depends on the level of decision-making authority; for example, if the company provides specific instructions about messaging, timing, and targeting, the agency is likely a processor. But if the agency makes strategic decisions about campaign design and audience selection, they might be a controller or joint controller.

Cloud services

Companies using cloud storage services often assume they're controllers while the cloud provider is a processor. This is frequently true, but the specifics matter. If the cloud provider offers only infrastructure (storage space and computing power), they're likely a processor. But if they provide analytics, insights, or other value-added services that involve making decisions about data use, the relationship becomes more complex.

Contracts and agreements between parties

The controller-processor relationship requires proper documentation through written contracts or legal acts. Article 28 of the GDPR mandates specific contractual terms that protect both parties and ensure compliance.

Required contractual elements

Data processing agreements must clearly cover the processing of personal data and the parties’ obligations, including:

  • The subject matter and duration of processing
  • The nature and purpose of processing
  • Types of personal data and categories of data subjects
  • Controller and processor obligations and rights
  • Security measures and breach notification procedures
  • Sub-processing arrangements and authorizations, with any sub-processor contract imposing equivalent data protection obligations in the same way as under the controller-processor agreement
  • Data deletion or return procedures

These aren’t boilerplate requirements. Each element serves a specific purpose in clarifying responsibilities and protecting data subjects’ rights.

Contractual flexibility and practical considerations

While the GDPR sets minimum requirements, parties can negotiate additional terms that reflect their specific business relationship. Controllers might require additional security measures, reporting obligations, or audit rights beyond what the GDPR mandates.

The contract also serves as evidence of compliance during regulatory investigations. Well-drafted agreements demonstrate that parties understood their roles and took appropriate steps to fulfill their obligations.

Liability and enforcement differences

Controllers and processors face different enforcement consequences when things go wrong. The GDPR's penalty structure reflects the different levels of responsibility each party carries.

Controller liability exposure

Controllers face the full weight of GDPR enforcement. They can be fined for any violation of the regulation, from failing to establish a lawful basis for processing to inadequate security measures. The penalties can be severe - up to 4% of annual global turnover or €20 million for the most serious violations.

Recent enforcement actions show regulators holding controllers responsible for processor failures, particularly when controllers failed to properly oversee their processors or ensure adequate contractual protections.

Processor liability scope

Processors face more limited but still significant liability exposure. They can be fined directly for violations related to their specific obligations, such as:

  • Processing data without proper instructions
  • Failing to implement adequate security measures
  • Unauthorized disclosure or use of personal data
  • Failure to assist controllers with compliance obligations

Processor fines follow the same structure as controller penalties, but they typically apply to a narrower range of violations.

Joint liability considerations

When processors exceed their authority and become controllers, they face the same liability exposure as original controllers. This can create unexpected exposure for service providers who thought they were operating under limited processor obligations.

Common misconceptions

Several myths persist about controller and processor roles, often leading to compliance gaps or misallocated responsibilities.

Size doesn't determine role

Many assume that larger organizations are automatically controllers while smaller service providers are processors. Size isn’t relevant - status depends on who makes the decisions, whether the organization is a sole trader, company, or incorporated partnership. A small consulting firm making strategic decisions about data use is a controller, and a self employed professional may be a controller in their own right, while a large technology company providing infrastructure services might be a processor.

Geographic location confusion

Some believe that organizations outside the EU can only be processors, not controllers. This isn’t true. Any organization that determines the purposes and means of processing European Union residents’ data can be a controller, regardless of location.

Industry-specific assumptions

Certain industries develop conventional wisdom about typical controller-processor relationships. While these patterns are often accurate, they shouldn’t override analysis of the actual legal entity or separate party making the decisions in specific relationships, and an employee acting within their role is not usually a separate party for controller-processor analysis. Smaller SaaS teams and startups, in particular, should choose GDPR compliance software for SaaS companies and startups that matches how their roles and responsibilities are structured.

Professional services complexity

Professional service providers occupy a particularly complex space in controller-processor analysis. Their professional obligations often require them to make independent decisions about data handling, potentially shifting them from processor to controller status.

When accountants review personal data within a firm's accounts, they’re not acting solely on the client's instructions. They must exercise independent judgment to meet their own professional obligations, potentially including reporting duties that override what a client wants. That often makes them controllers for certain processing activities, and specialist service providers may act in their own right for some of that processing.

Similarly, lawyers handling client matters make strategic decisions about information use and disclosure based on professional obligations and legal requirements. These decisions reflect controller-level authority over data processing.

Healthcare and other regulated professions

Healthcare providers face similar complexity. While they might follow patient instructions for some processing activities, professional medical standards often require independent clinical judgments that involve data processing decisions. The doctor-patient relationship creates multiple layers of controller obligations that often need support from robust GDPR compliance software tools to manage effectively.

Determining your role in practice

Organizations often struggle to categorize their role, particularly in complex business relationships involving multiple parties and purposes. A systematic approach helps clarify the analysis.

Key questions for role determination

Start with these fundamental questions:

  • Who decided to collect this personal data?
  • Who determines why the data is being processed?
  • Who decides how long to keep the data?
  • Who chooses the technical means for processing?
  • Who has authority to modify processing activities?

The party with decision-making authority over these elements is likely the controller. Parties following instructions from others are likely processors.

Multi-purpose processing analysis

Many business relationships involve processing for multiple purposes. A party might be a controller for some purposes and a processor for others. This mixed status requires careful analysis of each processing activity.

A customer relationship management platform might be:

  • A processor when storing and organizing customer data according to client instructions
  • A controller when using aggregated data for platform improvement purposes
  • A joint controller when providing analytics services that involve shared decision-making about data insights

Documentation and evidence

Role determination should be documented and supported by evidence. Contracts, policies, training materials, and business practices all provide insights into actual decision-making authority and responsibility allocation.

Compliance implications for each role under the General Data Protection Regulation

Understanding your role is just the beginning. Each role carries specific compliance obligations that require different approaches and resources.

Controller compliance programs

Controllers need comprehensive compliance programs covering all aspects of data protection. This includes:

  • Legal basis assessment and documentation
  • Privacy impact assessments for high-risk processing
  • Data subject rights handling procedures
  • Breach notification and response plans
  • Vendor management and processor oversight
  • Regular compliance monitoring and auditing

Controllers must also maintain detailed records of processing activities and be prepared to demonstrate compliance to regulators.

Processor compliance focus

Processors can focus on a narrower set of compliance requirements, but they must execute them thoroughly; for example, a processor managing web analytics may rely on a free website cookie checker for GDPR compliance to understand tracking behaviors:

  • Instruction compliance monitoring, including ensuring that any GDPR cookie compliance implementation aligns with the controller’s documented directions
  • Security measure implementation and maintenance
  • Controller support for data subject requests
  • Breach detection and notification procedures, alongside maintaining a GDPR-compliant cookie consent banner for websites where relevant
  • Staff training and confidentiality measures
  • Contractual compliance demonstration

Processors should also maintain clear documentation of their activities and decision-making limitations, and many organizations use a GDPR compliance dashboard for monitoring and reporting to track these responsibilities in real time.

Modern businesses benefit significantly from dedicated GDPR compliance tools and software platforms that automate many of these complex requirements. ComplyDog provides comprehensive tools for managing controller and processor obligations, including automated data mapping, privacy impact assessments, consent management, and vendor oversight capabilities.

Whether you're a controller managing multiple processing activities or a processor supporting client compliance needs, specialized software like ComplyDog streamlines the compliance process while reducing the risk of costly violations. The platform's integrated approach helps organizations of all sizes maintain GDPR compliance efficiently and effectively, adapting to the evolving regulatory landscape and upcoming GDPR changes in 2025 while supporting business growth.

For more information about comprehensive GDPR compliance solutions, visit ComplyDog.com to see how automated compliance tools can strengthen your data protection program.