Data processor and data controller according GDPR
Controller and processor are two key roles defined by the GDPR, assigned to individuals, legal entities, public authorities, institutions, and other organizations that process personal data or make decisions about its processing. In this articles we define what are they in more details and what are their areas of responsibility.
What is a controller and a processor according General Data Protection Regulation?
Think of it like a ship with a captain and crew. The captain (controller) decides the ship’s destination (the purpose of processing of personal data) and which crew to hire (what digital tool to use). The processor, following the captain’s orders, handles the data under the controller’s direction and on behalf of the controller. They don’t set processing purposes — they simply provide services or fulfill orders.
For example:
When you add Google Analytics to the website of your organisation, Google can match your site’s user data with information from its services to identify users’ names and ages through their Gmail accounts. Your website sends information to Google, which processes it and returns anonymized results. When viewing Google Analytics, you don’t see individual users. In essence, businesses tell Google: “Visit my site, collect users’ personal data, and provide me with an anonymized report.” Here, the business acts as the controller while Google serves as the processor, working on the business’s behalf.
The roles of data controller and processor
Controllers must inform data subjects about data processing through privacy policies, including listing processors like Google. While processors act on controllers’ instructions regarding processing purposes and methods, both parties must protect personal data in their respective capacities.
A controller can operate alone, share responsibility with others (as co-controllers), or work alongside separate controllers who independently determine their own processing purposes and methods.
Joint controllers — or co-controllers — are defined in Article 26 of GDPR. These entities jointly determine processing purposes and methods, sharing the same responsibilities as individual controllers.
For example:
When a travel agency purchases airline tickets on your behalf, they need passport details, flight numbers, and departure dates. Both the airline and travel agency independently determine their processing purposes and methods. Without a formal agreement, they act as separate controllers rather than co-controllers. True co-controllers make joint decisions about required data.
Who is more responsible: data processor or controller?
Controller or processor: who bears more responsibility for data protection and General Data Protection Regulation compliance? The controller does, as they determine the purposes and means of the processing. Greater authority comes with greater responsibility.
Controllers bear primary obligations to data subjects — they must uphold subjects’ rights and ensure processor compliance. Controllers answer directly to supervisory authorities, and while audits extend to their processors, controllers face primary scrutiny.
To help understand these relationships better, we provide a clear diagram showing roles and responsibilities. Additionally, after completing the GDPR Data Privacy Professional course, you’ll receive numerous proprietary diagrams and materials from author and trainer Siarhei Varankevich, CIPP/E, CIPM, CIPT, FIP.
Contact us
Fill in the form and we will contact you as soon as possible!
