Log in Contact

Controller vs Processor

Topics

Data Analysis Tools & Methods
Want to see the platform in practice?
Get in touch with us

What is the difference between a data controller and a data processor?

Under the GDPR, the key difference between a data controller and a data processor is who decides why and how personal data is processed.

What is a data controller?

A data controller is the organisation or person that determines the purposes and means of processing personal data.

In simple terms, the controller decides:

  • Why personal data is collected and used
  • What personal data is needed
  • How the data will be processed

Examples of data controllers include employers processing employee data, companies managing customer information, or organisations running marketing campaigns.

Controllers are primarily responsible for GDPR compliance and must ensure that personal data is processed lawfully, fairly, and transparently.

What is a data processor?

A data processor is an organisation or person that processes personal data on behalf of the controller, following the controller’s instructions.

Processors:

  • Do not decide why personal data is processed
  • Act only on documented instructions from the controller
  • Provide services such as IT hosting, payroll, analytics, or customer support

Typical processors include cloud service providers, HR software vendors, and external accounting or marketing service providers.

Can an organisation be both a controller and a processor?

Yes. An organisation can be a controller for some processing activities and a processor for others, depending on its role in each specific context.

The role is determined by actual decision-making power, not by job titles or contract labels.

Why does the distinction matter?

Correctly identifying whether you are a controller or a processor is important because:

  • Different GDPR obligations apply to each role
  • Controllers must ensure a valid legal basis for processing
  • Processors must have a data processing agreement (DPA) in place
  • Liability and enforcement risks differ between controllers and processors

Misclassifying roles is a common compliance mistake and can lead to regulatory issues.