Data processor and data controller according GDPR
- 07.03.2025
- Data Privacy
Controller and processor are two key roles defined by the GDPR, assigned to individuals, legal entities, public authorities, institutions, and other organizations that process personal data or make decisions about its processing. In this articles we define what are they in more details and what are their areas of responsibility.
Table of Contents
What is a controller and a processor according General Data Protection Regulation?
Think of it like a ship with a captain and crew. The captain (controller) decides the ship’s destination (the purpose of processing of personal data) and which crew to hire (what digital tool to use). The processor, following the captain’s orders, handles the data under the controller’s direction and on behalf of the controller. They don’t set processing purposes — they simply provide services or fulfill orders.
When you add Google Analytics to the website of your organisation, Google can match your site’s user data with information from its services to identify users’ names and ages through their Gmail accounts. Your website sends information to Google, which processes it and returns anonymized results. When viewing Google Analytics, you don’t see individual users. In essence, businesses tell Google: “Visit my site, collect users’ personal data, and provide me with an anonymized report.” Here, the business acts as the controller while Google serves as the processor, working on the business’s behalf.
The roles of data controller and processor
Controllers must inform data subjects about data processing through privacy policies, including listing processors like Google. While processors act on controllers’ instructions regarding processing purposes and methods, both parties must protect personal data in their respective capacities.
Article: How to Manage a Chain of Processors Under GDPR: Expert Guide for Controllers
A controller can operate alone, share responsibility with others (as co-controllers), or work alongside separate controllers who independently determine their own processing purposes and methods.
Joint controllers — or co-controllers — are defined in Article 26 of GDPR. These entities jointly determine processing purposes and methods, sharing the same responsibilities as individual controllers.
For example:
When a travel agency purchases airline tickets on your behalf, they need passport details, flight numbers, and departure dates. Both the airline and travel agency independently determine their processing purposes and methods. Without a formal agreement, they act as separate controllers rather than co-controllers. True co-controllers make joint decisions about required data.
Who is more responsible: data processor or controller?
Controller or processor: who bears more responsibility for data protection and General Data Protection Regulation compliance? The controller does, as they determine the purposes and means of the processing. Greater authority comes with greater responsibility.
Controllers bear primary obligations to data subjects — they must uphold subjects’ rights and ensure processor compliance. Controllers answer directly to supervisory authorities, and while audits extend to their processors, controllers face primary scrutiny.
To help understand these relationships better, we provide a clear diagram showing roles and responsibilities. Additionally, after completing the GDPR Data Privacy Professional course, you’ll receive numerous proprietary diagrams and materials from author and trainer Siarhei Varankevich, CIPP/E, CIPM, CIPT, FIP.
Want to receive numerous proprietary diagrams and materials that will help you navigate GDPR easily?
Join our fundamental GDPR Data Privacy Professional training.
Personal Data Protection Help and Support under GDPR and National Laws
We help establish systematic personal data protection practices through training and consulting services.
Consulting services on data privacy according to GDPR, ISO 27701 and other international standards.
EU Representative Services under GDPR is a pay-as-you-go service where representation is free during periods without data subject requests or communication with supervisory authorities. The service remains free if the company has not significantly altered its data processing practices since its onboarding process.
A fundamental course that covers all aspects of GDPR and teaches how to apply them in practice.
Privacy training programs for teams both in live online and e-learning formats with diverse level of depth. Customizable and interactive solution for fair price.
Reach Data Privacy & AI Compliance
Fill in the form and get a free consultation.
- Implementation of 7+ legal frameworks.
- Individual and corporate training on the GDPR, and international standards.
- Development of personal data protection systems within organizations.
- Custom services upon request.
