Data Processors vs. Data Controllers: Defining Each Role with Examples

Data controllers vs processors at a glance

• Data controllers make key decisions about personal data - why it's collected and how it's used. They set the rules for data handling and take primary responsibility for protecting user privacy.
• Data processors follow the controller's instructions to handle, store, or analyze personal data. They're trusted partners who work with data but don't decide its purpose.
• Under the EU’s General Data Protection Regulation (GDPR) and similar privacy laws, both data controllers and processors have specific legal duties.
• A GDPR data controller carries more responsibility, but processors must also protect data and follow strict security protocols.

The three things you need to know

GDPR has changed how businesses handle personal data. Here's what matters most about controllers and processors:

Controllers make the decisions about data

A data controller determines how personal data should be handled. If you're deciding what data to collect from users and what to do with it, you're likely a controller. Examples of data controllers include:

• E-commerce companies deciding what customer information to collect for orders and shipping
• Social media platforms choosing what user data to gather for their services
• Healthcare providers determining what patient information they need to deliver care
• Banks selecting what financial data to collect for account management
• Educational institutions deciding what student information to maintain
• Mobile app developers choosing what user data their app will collect

Processors follow the controller's instructions

They handle data based on clear directions from controllers. If you're processing data on behalf of another company according to their guidelines, you're probably a processor. Processors include:

• Cloud storage providers storing customer data for other companies
• Payment processors handling transaction data for online stores
• Email service providers sending messages on behalf of businesses
• Analytics companies processing website data for their clients
• Customer service platforms managing support tickets for other businesses
• Data centers hosting servers for other organizations
• Payroll companies processing employee data for employers

Your role determines your legal requirements

The GDPR defines the responsibilities of data controllers and data processors primarily in Chapter 4, "Controller and Processor." This chapter comprises several articles that specify the obligations of each role:

• Article 24: Responsibility of the Controller - Mandates that controllers implement appropriate technical and organizational measures to ensure and demonstrate compliance with the GDPR.
• Article 25: Data Protection by Design and by Default - Requires controllers to integrate data protection principles into processing activities and implement default settings that ensure data privacy.
• Article 26: Joint Controllers - Addresses situations where two or more controllers jointly determine the purposes and means of processing, outlining their shared responsibilities.
• Article 27: Representatives of Controllers or Processors Not Established in the Union - Obliges controllers and processors outside the EU to designate a representative within the EU under certain conditions.
• Article 28: Processor - Details the obligations of processors, including processing data only on documented instructions from the controller and implementing appropriate security measures.
• Article 29: Processing Under the Authority of the Controller or Processor - Specifies that individuals processing data must do so under the authority of the controller or processor and follow their instructions.
• Article 30: Records of Processing Activities - Requires both controllers and processors to maintain records of their processing activities.
• Article 31: Cooperation with the Supervisory Authority - Mandates that controllers and processors cooperate with supervisory authorities upon request.

These articles collectively define the distinct responsibilities of data controllers and processors, ensuring clarity in their roles and promoting accountability in personal data processing.

The origin and evolution of data roles

The concepts of "data controller" and "data processor" didn't start with GDPR. They first appeared in European privacy law in 1995 with the Data Protection Directive. Even then, lawmakers recognized that different organizations handle personal data in different ways.

In 1995, most data processing happened in-house. Companies had their own servers and managed their own databases. Fast forward to today, and we're working with cloud services, SaaS platforms, and complex data flows across multiple providers.

These definitions have influenced privacy laws worldwide. From California's Consumer Privacy Act (CCPA) to Brazil's LGPD, many new privacy laws use similar concepts, even if they use different terms (like "business" and "service provider" in CCPA).

The basics of each role

What makes you a controller

1. Power to decide why data is collected: Controllers choose which personal data to gather and set clear purposes for using it. For example, an e-commerce site deciding to collect customer addresses for shipping is acting as a controller.
2. Authority to choose how data is handled: Controllers pick the tools, systems, and partners involved in processing data. They also determine how long to keep data and when to delete it.

What makes you a processor

1. Following someone else's instructions: A processor processes personal data on behalf of the controller and according to set guidelines. They must assist data controllers with privacy requests, security measures, and compliance tasks. They can't suddenly decide to use the data for their own purposes.
2. Processing without decision power: While processors can make some technical choices, they don't decide the fundamental reasons for data collection or usage.

Real-world example: Healthcare data flow

Take a healthcare app that helps patients manage their medications. The app company acts as a data controller when they decide to collect specific health data, like medication schedules and symptom tracking. They make key decisions about what information to gather and why.

Their cloud storage provider (whether that's AWS, Microsoft Azure, or something else) is the data processor. This provider stores all this sensitive health data, but can't decide to use it for research or share it with pharmaceutical companies without the app's explicit permission.

This relationship shows how controllers direct the show while processors follow the script.

Working together

The controller-processor relationship

Required agreements

Every controller-processor relationship needs a written contract. This is specifically required under GDPR and must spell out exactly how personal data will be handled. The agreement should cover everything from security measures to what happens when someone requests their data.

Communication needs

Clear communication channels between controllers and processors are also required under GDPR. When a user asks to see their data or there's a potential security issue, both parties need to know who does what (GDPR Articles 28 & 33).

Security expectations

Controllers need to make sure their processors have strong security measures in place. This means regular checks, clear reporting procedures, and plans for handling any data breaches.

Both parties have responsibilities for notifying data breaches. Processors must inform controllers promptly and controllers must notify authorities within 72 hours when required (GDPR Articles 28 & 32).

Complex situations

When you might be both

Sometimes organizations play both roles. Take an HR software company—they're a processor when handling employee data for their clients, but a controller for their own employees' information.

Professional service providers

Accountants, lawyers, and similar professionals often act as controllers, not processors. Why? They have professional obligations that require them to make independent decisions about how they handle data.

Joint controller arrangements

When two or more organizations decide together how to use personal data, they become joint controllers. Think of a bank and an insurance company running a joint promotion: they both have a say in how customer data is used.

Need help staying on top of your controller obligations? Transcend's Data Inventory tool helps you track and manage your data processing activities in one place.

Common mix-ups

Mistakes to avoid

Assuming all vendors are processors

Just because a company provides a service doesn't automatically make them a processor. Some vendors make independent decisions about data use, making them controllers.

Confusing technical choices with purpose decisions

Processors can decide how to technically implement security measures, but they can't change why or how data is fundamentally used. That's the controller's call.

Missing joint controller situations

If you're working with partners and both making decisions about personal data use, you might be joint controllers. This requires specific arrangements under GDPR.

FAQs about data controllers vs processors

Who is responsible for a data breach, a controller or processor?

Both data controllers and processors can be held responsible for a data breach. Controllers are primarily accountable for ensuring compliance with data protection laws, while processors must adhere to the controller's instructions and implement appropriate security measures. If a processor fails to meet its obligations, it can be held liable for the breach.

Can a data processor be fined?

Yes, data processors can be fined under the GDPR for failing to comply with their obligations. This includes breaches of data security, processing data beyond the controller's instructions, or failing to assist the controller in ensuring compliance.

What are data protection impact assessments?

A data protection impact assessment (DPIA) is a key tool that helps organizations meet their data protection obligations. It's a process that identifies and minimizes privacy risks before they start processing sensitive data or launching high-risk projects. You'll need one when using new technologies, processing health data, or monitoring public spaces. The assessment helps you spot potential issues early and build privacy protections into your systems from the start.

Does a data processor need a data protection officer?

A data processor is required to appoint a Data Protection Officer (DPO) if its core activities involve processing operations that require regular and systematic monitoring of data subjects on a large scale, or if it processes special categories of data on a large scale. This requirement is outlined in Article 37 of the GDPR.

Can an individual be a data controller?

Yes, an individual can be a data controller if they determine the purposes and means of processing personal data. This is common in cases like sole traders or self-employed professionals who handle personal data in the course of their business activities.

About Transcend

How we can help

Transcend offers next-generation privacy tools that make both controller and processor obligations easier to manage. Our platform helps with:

• Automated data subject requests
• Consent management across your tech stack
• Data inventory and discovery
• Streamlined data protection assessments

Whether you're a controller managing multiple processors or a processor serving various controllers, we've built tools to simplify your privacy operations and keep you compliant.