Senior Content Marketing Manager II
February 27, 2025•8 min read
GDPR has changed how businesses handle personal data. Here's what matters most about controllers and processors:
A data controller determines how personal data should be handled. If you're deciding what data to collect from users and what to do with it, you're likely a controller. Examples of data controllers include:
They handle data based on clear directions from controllers. If you're processing data on behalf of another company according to their guidelines, you're probably a processor. Processors include:
The GDPR defines the responsibilities of data controllers and data processors primarily in Chapter 4, "Controller and Processor." This chapter comprises several articles that specify the obligations of each role:
These articles collectively define the distinct responsibilities of data controllers and processors, ensuring clarity in their roles and promoting accountability in personal data processing.
The concepts of "data controller" and "data processor" didn't start with GDPR. They first appeared in European privacy law in 1995 with the Data Protection Directive. Even then, lawmakers recognized that different organizations handle personal data in different ways.
In 1995, most data processing happened in-house. Companies had their own servers and managed their own databases. Fast forward to today, and we're working with cloud services, SaaS platforms, and complex data flows across multiple providers.
These definitions have influenced privacy laws worldwide. From California's Consumer Privacy Act (CCPA) to Brazil's LGPD, many new privacy laws use similar concepts, even if they use different terms (like "business" and "service provider" in CCPA).
Take a healthcare app that helps patients manage their medications. The app company acts as a data controller when they decide to collect specific health data, like medication schedules and symptom tracking. They make key decisions about what information to gather and why.
Their cloud storage provider (whether that's AWS, Microsoft Azure, or something else) is the data processor. This provider stores all this sensitive health data, but can't decide to use it for research or share it with pharmaceutical companies without the app's explicit permission.
This relationship shows how controllers direct the show while processors follow the script.
Every controller-processor relationship needs a written contract. This is specifically required under GDPR and must spell out exactly how personal data will be handled. The agreement should cover everything from security measures to what happens when someone requests their data.
Clear communication channels between controllers and processors are also required under GDPR. When a user asks to see their data or there's a potential security issue, both parties need to know who does what (GDPR Articles 28 & 33).
Controllers need to make sure their processors have strong security measures in place. This means regular checks, clear reporting procedures, and plans for handling any data breaches.
Both parties have responsibilities for notifying data breaches. Processors must inform controllers promptly and controllers must notify authorities within 72 hours when required (GDPR Articles 28 & 32).
Sometimes organizations play both roles. Take an HR software company—they're a processor when handling employee data for their clients, but a controller for their own employees' information.
Accountants, lawyers, and similar professionals often act as controllers, not processors. Why? They have professional obligations that require them to make independent decisions about how they handle data.
When two or more organizations decide together how to use personal data, they become joint controllers. Think of a bank and an insurance company running a joint promotion: they both have a say in how customer data is used.
Need help staying on top of your controller obligations? Transcend's Data Inventory tool helps you track and manage your data processing activities in one place.
Just because a company provides a service doesn't automatically make them a processor. Some vendors make independent decisions about data use, making them controllers.
Processors can decide how to technically implement security measures, but they can't change why or how data is fundamentally used. That's the controller's call.
If you're working with partners and both making decisions about personal data use, you might be joint controllers. This requires specific arrangements under GDPR.
Both data controllers and processors can be held responsible for a data breach. Controllers are primarily accountable for ensuring compliance with data protection laws, while processors must adhere to the controller's instructions and implement appropriate security measures. If a processor fails to meet its obligations, it can be held liable for the breach.
Yes, data processors can be fined under the GDPR for failing to comply with their obligations. This includes breaches of data security, processing data beyond the controller's instructions, or failing to assist the controller in ensuring compliance.
A data protection impact assessment (DPIA) is a key tool that helps organizations meet their data protection obligations. It's a process that identifies and minimizes privacy risks before they start processing sensitive data or launching high-risk projects. You'll need one when using new technologies, processing health data, or monitoring public spaces. The assessment helps you spot potential issues early and build privacy protections into your systems from the start.
A data processor is required to appoint a Data Protection Officer (DPO) if its core activities involve processing operations that require regular and systematic monitoring of data subjects on a large scale, or if it processes special categories of data on a large scale. This requirement is outlined in Article 37 of the GDPR.
Yes, an individual can be a data controller if they determine the purposes and means of processing personal data. This is common in cases like sole traders or self-employed professionals who handle personal data in the course of their business activities.
Transcend offers next-generation privacy tools that make both controller and processor obligations easier to manage. Our platform helps with:
Whether you're a controller managing multiple processors or a processor serving various controllers, we've built tools to simplify your privacy operations and keep you compliant.
Senior Content Marketing Manager II