Who's Liable Under GDPR? Data Controllers vs Processors Explained

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 15 May 2025.

Who's Liable Under GDPR? Data Controllers vs Processors Explained

Organizations that handle personal data have several legal responsibilities under the GDPR.

If an organization fails to meet its GDPR responsibilities, it can face serious legal consequences. While this set-up is simple enough, things get a little more complicated when one organization processes personal data on behalf of another organization. Here's what you need to know.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:

    3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  3. Answer a few questions about your business:

    4. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  4. Enter the country and click on the "Next Step" button:

    5. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  5. Continue with building your Privacy Policy while answering on questions from our wizard:

    6. FreePrivacyPolicy: Privacy Policy Generator - Answer on questions from our wizard - Step 3

  6. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.



What is a Data Controller?

The GDPR uses the term "data controller" to mean the organization that makes decisions about processing personal data. This means they decide how, when and why the data is collected, used, shared or deleted. Who actually does the processing doesn't change who is classed as the data controller: it's all about who makes the decision.

(Although we use the term "organization" in this article, an individual person can be a data controller, as long as they are acting on their own behalf. Similarly, a data controller could be a corporation, business, public authority or government.)

What is a Data Processor?

The GDPR uses the term "data processor" to refer to an organization that processes data on behalf of somebody else. This can be any form of processing, for example just collecting the data.

What matters is that the data processor is not making any key decisions about what data to collect, how to process it, when to disclose it, and so on. Any decisions the data processor makes will be minor operational ones (such as which software to use) that don't affect the key aims and purposes of the processing. The key principle is that a data processor acts in line with the data controller's instructions.

The data controller/data processor set-up can involve many forms of business relationship. For example, an email newsletter software company might collect email addresses (or delete ones from people who unsubscribe) on behalf of a company that writes and sends out a newsletter. The software company is the data processor and the company writing the newsletter is the data controller.

Another example is a card company who handles payments for an online seller. The card company is the data processor, and the online seller is the data controller.

As with data controllers, data processors can be any type of organization or an individual person.

Stripe sums up how deciding how and why to process data is the key difference between a data controller and a data processor:

Stripe acts as Data Processor vs Data Controller section

Subsidiaries

The data controller/data processor set-up can be a little confusing in the case of a group of companies such as a subsidiary or parent company. The key principles are:

  • If the companies are not separate legal entities, there's no data processor: the entire legal entity is the data controller.
  • If the companies are separate legal entities, the one that makes the decisions about data processing is the data controller. The one that is told what to do is the data processor.

This means it would be extremely unusual for a subsidiary to be the data controller and the parent company to be its data processor.

Key Liability Principles for Data Controllers and Data Processors

The responsibility and liability created by GDPR works as follows:

  • The data controller is responsible for making sure all the data processing they control (even when it's done by a data processor) complies with the GDPR. They are liable for any breaches of the GDPR, even if it's the data processor who does something wrong or fails to do something.
  • The GDPR says the data processor must be under a legal obligation to the data controller to comply with the GDPR. This obligation makes them liable for compensating the data controller if they suffer any loss (such as paying a fine) because the data processor broke the rules.
  • The GDPR also says the data processor has a specific and limited range of direct obligations to follow the law and could be liable for breaching these obligations.

Let's break this down in more detail.

Data Controller Liabilities Under the GDPR

The data controller is responsible for making sure all the data processing they control complies with the GDPR, even if they use a data processor to do it. The GDPR sets out a host of responsibilities and the data controller is liable for any failure to comply.

The data controller's responsibilities include:

  • Protecting and securing data by default and by design
  • Keeping adequate records of data processing
  • Informing people via a Privacy Policy
  • Ensuring staff GDPR compliance
  • Maintaining lawful basis for processing
  • Overseeing processor compliance
  • Reporting breaches

If the data controller fails to comply with the GDPR, this liability can be enforced in two ways:

Somebody who suffers damage from a breach of the GDPR can seek compensation from the data controller.

A data regulator (such as a country's data protection agency) can impose penalties including a temporary or permanent ban on data processing and a fine. This fine is a maximum of €10 million or two percent of worldwide annual revenue (whichever is bigger) for most breaches; both of these maximum figures double for more serious breaches such as failing to protect people's basic data rights.

A data controller cannot transfer this liability to a data processor.

Data Processor Liabilities Under the GDPR

As a general principle, data processors aren't directly liable for breaches of the GDPR as long as they are following the instructions of the data controller. Only a very small proportion of the penalties imposed under the GDPR are on data processors. These normally apply when the processor has caused a significant breach of the GDPR (and caused significant harm) while directly going against the data controller's instructions.

Data processors do have to cooperate with data regulators, including handing over records of processing where necessary. Failing to do so can lead to a fine.

If a data processor ignores a data controller's instructions in a way that means it is effectively making decisions about how and why to process data, it will be treated as a data controller itself. This means it takes on all the obligations and liabilities on data controllers, including the potential for financial penalties.

The UK GDPR

One big exception to the principle of data processor liability is the United Kingdom, which now has its own version of the GDPR. While it broadly mirrors the measures of the GDPR, the UK version does say processors can be held liable for any failure to comply with the rules. The general principle is that any penalties will be divided between the data controller and data processor based on who was most responsible for breaking the rules.

Data Processor Liabilities to the Data Controller

The data processor's main liability under the GDPR is to the data controller. The data controller has the right to seek compensation from the data processor for any loss they suffer, such as paying a fine, because of the data processor's actions or lack of actions.

Because data controllers pass on people's personal data to data processors, the GDPR doesn't simply leave it up to the data controller to decide how to make sure the data follows its instructions. Instead, they must have a legally binding "data processing agreement" (such as a contract) that includes the following binding obligations on the data processor:

  • Only process data in line with documented instructions from the controller.
  • Make sure anyone who handles the data is legally committed to confidentiality.
  • Keep data secure in line with the GDPR's rules.
  • Assist the data controller in satisfying any data access requests (eg by a customer wanting to know what data is stored about them.)
  • Delete or return the data when the processing work is done.
  • Keep records to prove they are complying with the rules.

As long as all of these binding obligations are in the data processing agreement, the two sides can negotiate other points and details to include. They can also negotiate the specifics of how the obligations are enforced, for example when and why the data processor compensates the data processor or whether there's a financial limit on the compensation.

Sanofi's data processing agreement gives clear limits on how the data processor shall handle the data:

Sanofi Data Processing Agreement: Compliance section

SurveyMonkey's data processing agreement confirms that (as a processor) it will help satisfy data access requests:

SurveyMonkey Data Processing Agreement: Data Access Requests section

Sub-processors

The GDPR has special rules when a data processor hires another processor to carry out some of the work it is doing for the data controller. This second processor is known as a sub-processor.

In simple terms, the data processor must have a binding agreement with the sub-processor that says the sub-processor will follow the same rules that are in the original data processing agreement between the data controller and data processor. This includes the sub-processor being liable for any damage caused to the data processor.

For example, if the sub-processor breaks the rules of the GDPR, data protection regulators could impose a penalty on the data controller, or people affected by the breach could seek damages from the data controller. In both cases, the data controller would then seek compensation from the data processor, who in turn would seek compensation from the sub processor.

While it's rare in practice, the GDPR does account for the possibility of a sub-processor hiring another sub-processor (which also needs a legally binding agreement) and so on indefinitely. The key is that there's always a legally binding chain of accountability.

TrustPilot confirms that while acting as a data processor, it will be liable for a breach caused by its subprocessors:

Trustpilot DPA Agreement: Trustpilot acts as a Data Processor

In short: if a sub-processor breaks GDPR rules, the controller could still be liable - unless there's a binding agreement chain.

Joint Controllers

In limited circumstances, it's possible for two or more organizations to both be classed as data controllers for the same data. This is known as being "joint controllers". The key is that they work together to make decisions about what data to process and how to do it.

For example, three unconnected museums might launch a joint membership card where visitors pay a single annual fee to get discounted entry to all three museums. They would be joint controllers of data such as the visitor's email address, date of birth or card payment details. One museum might handle the payments, with another using email addresses to send out a newsletter covering special events across the museums. However, it's not who does what processing that matters here; rather they are joint controllers because they work together to make decisions on the data processing.

With the joint controller setup, there's no data processor. Instead all the joint controllers are equally liable for any breaches involving the relevant data.

Unlike with data controllers/data processors, there's no requirement for a legally binding agreement between the joint controllers. Instead they must publish a document saying who will take on responsibility for different elements of GDPR compliance (eg museum A is responsible for keeping data secure or museum B is responsible for handling data access requests.)

However, this is for information purposes only. Any or all of the joint processors are legally liable for any breach, regardless of which one directly caused it.

The James Hutton Institute and the Scottish Government detail the mutual responsibilities:

James Hutton Institute and Scottish Government share mutual responsibility

Summary

While data processors act on behalf of data controllers, the controller remains ultimately responsible for GDPR compliance. This includes ensuring processors (and their sub-processors) follow the law through binding agreements. If something goes wrong, the liability often flows uphill - from sub-processor to processor to controller.

Under the GDPR, "data controllers" decide how and why personal data is processed. They may or may not actually do the processing themselves. Meanwhile "data processors" only process data on the data controller's behalf and under their instructions.

The data controller is always responsible for making sure data processing complies with the GDPR, even if a data processor is acting on their behalf. They are liable for penalties and compensation if the processing breaches the GDPR.

The data controller must have a binding legal agreement with the data processor (a "data processing agreement") that guarantees the data processor will follow the GDPR. Usually the agreement says that if the data processor breaks the rules, and this causes the data controller to get fined or pay compensation, the data controller can recover the money from the data processor. If the data processor uses somebody else (a "sub-processor") to carry out some of the work, they'll need a similar agreement.

The key point is that the data controller is always directly responsible for complying with the GDPR, but anyone who handles personal data must also follow the GDPR and will ultimately pay the price if they don't.

About this article

Last updated

This article was last updated on 15 May 2025.

Author

John Lister

FreePrivacyPolicy Legal writer

Category

Disclaimer

Please note that legal information, including legal templates and legal policies, is not legal advice.

Try out our free generators

Free Privacy Policy Generator

Free Cookie Consent

Free Terms and Conditions Generator

Free Cookies Policy Generator

Free Disclaimer Generator

Free EULA Generator

Free Return & Refund Policy Generator



What our customers says

I like the steps to create a Privacy Policy.

— Anonymous



Thank you for making it so simple and easy to create a proper and compliant privacy policy!

— Andrea - Toronto Success Coach



Quick and easy way to secure our company website. Thanks for making this a great user experience.

— Anthony - Canine Behavioral Services



Thank you for your time and help. Setting up a Privacy Policy, and Terms of Service is easier than I thought.

— Casey H - Casis Boutique

Read more from our blog

GDPR Rules and Guidelines for Transactional Emails

GDPR Rules and Guidelines for Transactional Emails

When you send emails to a customer, including processing orders, you use their personal data. This means you may come under the GDPR. The usual consent rules don't apply to...

Canada's Anti-Spam Legislation - CASL

Canada's Anti-Spam Legislation - CASL

Canada has strict rules on unsolicited messages and these rules can apply to businesses outside the country. Canada's Anti-Spam Legislation (CASL) broadly requires businesses to get permission before sending emails...

How to Compliantly Transfer Personal Data Out of the EU

How to Compliantly Transfer Personal Data Out of the EU

The General Data Protection Regulation (GDPR) from the EU is one of the most in-depth and strict laws protecting the transfer and processing of personal data. When the law was...