GDPR Data Controller vs Data Processor: What You Need to Know

The General Data Protection Regulation (GDPR) is perhaps one of the world’s most effective data privacy and security laws. Since coming into full effect in May 2018, it has already levied hefty fines against violators, with penalties reaching millions of euros.

If you’re part of a business or organization that deals with the personal data and information of individuals, it’s essential that you understand the rules and regulations under the GDPR.

If you read the GDPR thoroughly, you’ll notice that the words “data controller” and “data processor” are mentioned and cited repeatedly. These 2 roles are quite important in the realm of data privacy in the EU. Let's clear out the distinction between them and their obligations under the law.

What is a data controller?

Under the GDPR, a data controller is a primary party responsible for the operation of secure private data storage. While data controllers have control over their decisions, they will also be held liable for the misuse or lapse of security on the data they keep.

Data controllers are required by law to protect the personal data they store. Hence, it is their responsibility to use GDPR-compliant data processors to avoid fines and penalties.

Data controllers can process the data they have collected using their own methods. Still, they are also allowed to contract third-party services to hold or analyze the data they have collected.

However, using third-party services does not mean that they can let the third-party providers do whatever they wish to do with data. Data controllers should specify exactly how they want the data to be used and processed.

What is a data processor?

A data processor is a party tasked with the processing and analysis of the data provided by the data controller. They cannot process the data provided to them at will and are only allowed to use the data as the data controller instructed. Using the data for any other purpose can lead to fines and penalties.

Who needs a data controller and data processor?

The GDPR applies to any company or organization operating within and outside the EU that offers goods and services to clients in the region. Under GDPR, companies must designate “data controllers” and “data processors” and that there’s an added liability for the collection and handling of customer data.

For organizations and companies required to comply with GDPR, having a clear distinction between a data controller and data processor improves efficiency, as the stakeholders already know what to expect from them.

Having a designation for data controller and data processor also streamlines the whole system, as there would be no need for constant back and forth when it comes to fulfilling one’s duties and responsibilities.

What are the responsibilities and requirements of a data controller?

The GDPR has laid down a detailed list of responsibilities and requirements for data controllers. Here are some of the main points to note:

Data collection

Data controllers are the only ones allowed to collect personal information from users. They should make sure that before they do so, they already have the legal authority to acquire the data.

Data controllers should also make sure that their process of data acquisition is clear and transparent. This can be done with the help of a privacy policy.


Data controllers are only allowed to use and contract data processors who follow the regulations of GDPR. Additionally, every time a data controller and data processor plan to work together, they should have a clearly-outlined contract. The contract should detail the common information and detailed instructions of the data controller to the data processor.

Controllers are also required to use data protection impact assessments when they let their processors perform high-risk activities.


Under GDPR, data controllers should be responsible for the collection, use, and discarding of the personal data in their possession.


Data controllers (and data processors) must use security practices that comply with the standards of GDPR. They must protect the data they have from unauthorized access, disclosure, accidental loss, or destruction.

Apart from these main responsibilities of a data controller, they are also required to be transparent at all times. They must likewise keep a record of the processing of personal information, report data breaches, and appoint a data protection officer.

What are the responsibilities and requirements of a data processor?

Just like data controllers, data processors must take good care of the data that goes through them. Here are the most notable responsibilities of a data processor:

Data collection

As mentioned, only data controllers are allowed to collect data from subjects. The moment a processor collects any sort of data from the subject, the processor will automatically be considered a data controller and will assume all responsibilities and laws that come with being one.


Data processors must follow the instructions of data controllers. No matter what kind of data they have, they cannot do anything with it unless it was under the guidance of a data controller.


Previously, only data controllers were accountable for the whole process of acquiring, securing, and processing data. However, the recent update of GDPR also makes the data processors liable when they perform work that is explicitly instructed to them.

Data processors are also required to engage in security practices compliant with the GDPR standards and keep records of the processes requested by their controllers.

Can the same person take on both roles?

Yes, it is possible for someone to be a data controller and data processor at the same time. However, not many people do so because of the demand for each job. If you take the mantle as one of the data processors on top of being a data collector, then you have to take care of many things.

That includes collecting data, storing the data, and doing analysis for the data you’ve collected. Because of this, most companies opt to hire a third-party to serve as data processors.

Final words

The distinction between data controllers and data processors is important as they have different sets of requirements and responsibilities. If you’re an organization or a business covered by GDPR, it is best to know the differences that data controllers have with data processors. It helps make sure that all your bases are covered, and you know who will be responsible for the next task at hand.