GDPR Data Controller vs Data Processor

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 09 July 2024.

GDPR Data Controller vs Data Processor

If you handle personal data you may qualify as either a data controller or data processor under Europe's General Data Protection Regulation (GDPR). Your role depends largely on whether you make key decisions about what data to collect and how to use it. Both roles involve some legal responsibilities and the law has specific rules for the relationship between the two.

Here's what you need to know.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.



What is the GDPR and Does it Apply to Me?

The GDPR is a European Union regulation, meaning it has automatic legal force in all European Union countries. It applies in three cases:

  • You process personal data about somebody who is in an EU country
  • You process personal data and you are based in an EU country
  • The processing physically takes place in an EU country, for example in a data center

Personal data is any information about an identifiable person. Processing includes collecting or using data in any way.

The key principle of the GDPR is that you can only process data on a lawful basis. This could include having the data subject's consent, your legitimate interests outweighing the data subject's rights, or in certain legal or medical situations.

As this guide will cover, the GDPR also includes a wide range of specific legal requirements. It has 99 articles, of which 20 specifically cover the role of data controllers and processors.

Although the United Kingdom is no longer an EU country, the measures of GDPR are replicated in its national laws. This will remain the case unless and until it revokes these laws or introduces new ones.

What is a Data Controller?

The GDPR defines a data controller as:

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

What is a Data Processor?

The GDPR defines a data processor as:

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

To put this more simply:

  • A data controller decides what data to process, how to process it and why it's processed. The data controller can do the processing themselves but remains classed as a data controller.
  • A data processor follows the instructions of the controller when processing the data. They may make minor decisions, but only in line with these instructions.

Data controllers can be individuals or organizations, including businesses. However, an individual who is only processing data for household purposes (such as maintaining a list of dates addresses for sending birthday and Christmas cards) doesn't fall under the GDPR's scope.

Data Controller Requirements

Data Controller Requirements

A data controller is responsible for doing all of the following, whether or not they are using a data processor. We'll cover the extra steps they must take when using a data processor later in this guide.

Prove Overall Compliance

The data controller must be able to show they have taken appropriate steps to make sure any processing (whether done by them or a processor) complies with the GDPR. These steps include organizational and technical measures.

Data Protection by Design and Default

The data controller must design their systems and procedures to minimize the risk of harm to data subjects. This could include collecting only the minimum amount of data necessary to achieve a particular task. It could also include safeguards to reduce the risk of data being kept longer than necessary or accessed by people who don't need to see it. These systems and procedures need to mean that this all happens routinely.

Record Keeping

The data controller must keep records of all processing, including that done by a processor on its behalf. The records must cover:

  • The controller's name and contact details
  • The purpose of the processing
  • The categories of data subject and data types
  • The categories of third parties who have or will receive the data
  • Details of any transfers of data to non-EU countries and how the data will remain protected
  • How long the data will be kept
  • The security measures used to protect the data

Cooperation

The data controller must cooperate with the relevant supervisory authorities on any matters relating to their data processing. Usually this is a government department or agency dealing with data protection in a particular country.

Security

The data controller must use appropriate measures to maintain security. This must include both technical and organizational measures. It should also include:

  • Pseudonymised data
  • Keeping processing systems confidential and secure
  • Making sure they can regain access to data after a "physical or technical incident"
  • Testing security measures regularly

Breach Notifications

The data controller must tell the relevant supervisory authority about a personal data breach as soon as possible. If this takes more than 72 hours after the data controller became aware of the breach, they must explain the delay.

The data controller must tell the data subject about a breach as soon as possible if there's a high risk the breach will affect their privacy rights.

Impact Assessments

The data controller must carry out an impact assessment whenever they plan to carry out processing with a high risk to people's data rights. This could be because of factors including greater risk of a breach; the data being particularly sensitive; and use of automated processing or profiling.

The impact assessment should cover the risks and the relevant mitigations. In the most serious cases, the data controller must consult the relevant supervisory authority before carrying out the processing.

Data Protection Officer

The data controller must choose somebody to be a data protection officer if their processing involves "regular and systematic monitoring" of people. They must also do it if their core activity is large scale processing of sensitive data or data relating to criminal convictions and offenses.

The data protection officer can be an employee of the data controller's business or an outsider. They must have the experience and knowledge to fulfill the role. The same person can be data protection officer for two different data controllers as long as there's no conflict of interest and they have the capacity for both roles.

Data Processor Requirements

Data Processor Requirements

The data processor's most important role is to only process data when (and how) instructed to do so by the data controller. If they do not follow the instructions, they may be liable for any breaches of the GDPR in their processing.

Data processors also have several other specific obligations.

Record Keeping

The data processor must keep records when processing data. This must cover:

  • The name contact details of both the processor and the data controller for whom they are working
  • The types of processing being done
  • Details of any transfers of data to non-EU countries and how the data will remain protected
  • The security measures used to protect the data

Remember that the data controller must also keep records of the data processing, which must include much more detail than the records kept by the data processor.

Cooperation

The data processor must cooperate with the relevant supervisory authorities on any matters relating to their data processing.

Security

The data processor has the same responsibilities as the data controller for keeping data secure.

Breach Notifications

The data processor must tell the data controller about any data breach as soon as possible. (The data controller is then responsible for notifying the relevant supervisory authority.)

Data Protection Officers

Data processors must also choose a data protection officer, following the same rules and principles.

The data protection officer's duties include:

  • Advising the data controller or processor (and their staff) of their responsibilities under the GDPR
  • Making sure the data controller or processor follows the rules
  • Cooperating with the relevant supervisory authorities
  • Handling enquiries and data access requests from data subjects

The Relationship Between Data Controllers and Data Processors

The Relationship Between Data Controllers and Data Processors

Data controllers must follow rules to make sure their data processors are upholding the GDPR. This includes making sure the data processor has the correct technical and organizational measures to keep the data protected.

The data controller must have a binding contract with the data processor that guarantees the data processor will:

  • Only process data in line with the data controller's instructions
  • Make sure anyone who accessed the data has guaranteed to maintain confidentiality
  • Keep the data secure
  • Give the data controller any information needed to satisfy access requests
  • Delete or return the data when the processing is complete
  • Keep records to show compliance with the GDPR

Sub-Processors

Data processors can themselves hire other processors to work on the processing. They must have a contract with the other processors that covers the same points as the contract between the data controller and original data processor. The original data processor is legally responsible for the other data processors complying with the GDPR.

Joint Controllers

It is possible to have joint controllers for the same data. This can only happen when both work together to decide how and why the data is processed.

In this situation, the joint controllers must have a clear arrangement about who is responsible for meeting the various requirements of GDPR, in particular informing data subjects about the processing and their rights.

Summary

Under the GDPR, data controllers decide what data to process and how to do it. They may also process the data themselves. Data processors do the physical processing but only in line with the instructions of a data controller.

Data controller responsibilities include protecting data, keeping (more extensive) records of processing, cooperating with supervisory authorities, maintaining data security, making breach notifications and running impact assessments where needed.

Data processors have similar responsibilities but with some limitations. For example, they only have to tell the data controller about a breach, not the supervisory authority.

Data controllers must have a contract with data processors to make sure they follow the rules.

Both data controllers and processors may need to appoint a data protection officer.