Have Questions About This Guide?
Book a 30-minute call with one of our experts. You’re in safe, experienced hands.
What is the difference between a Controller and Processor under GDPR?
If the GDPR applies to your business, you will need to determine whether you are a “controller” or a “processor” of personal information, or both.
This is important as controllers and processors have different compliance obligations under the GDPR.
If you fail to comply with the GDPR, your business may face large fines.
Depending on whether you are a controller or processor will determine what your obligations are under the GDPR.
This guide explains the difference between a controller and processor of data under the GDPR.
Who Does the GDPR Apply To?
The first step is to determine whether the GDPR applies to your business.
The GDPR applies to businesses that:
- are physically located in the EU;
- target their goods or services to individuals in the EU; or
- monitor individuals in the EU.
If the GDPR applies to your business, the next step is to assess the way you process personal data, as either a controller or a processor.
What Is a Controller?
Your business will face different obligations depending on whether it is a data controller or data processor.
Data controllers are:
- natural or legal persons;
- public authorities;
- agencies; or
- other bodies that determine the purpose and means of the processing of personal data.
A data controller can, therefore, be any business that asks its customers for their personal information.
If your business asks customers for their name and email to send them newsletters, for example, your business is a data controller because you collect personal information for the purpose of sending out a newsletter.
A controller decides which personal data to collect from individuals.
They then also decide how they will use that data.
If your company is a controller, you will process data on many different occasions.
For example, this may be when you:
- collect contact details to communicate with customers;
- run analytics on your app to look for trends with the way users engage with your app; and
- use cookies on your website.
Each time you process data as a controller, you will need to choose a legal basis on which to do so.
The table below explains the legal bases available to you.
| Consent | The individual has consented to you processing their personal data. |
| Performing a contract | The processing is a part of your obligations under a contract you have with the individuals. |
| Vital interests | The processing is necessary to protect the vital interests of the individual. |
| Public interest | The processing is necessary for performing a task in the public interest. |
| Legal obligation | You are processing to comply with your businesses’ legal obligation. |
| Legitimate interests | Processing is necessary for your businesses’ legitimate interests (this is self-assessed by you). |
What Is a Processor?
A processor is a business which is instructed to process personal data by a Controller.
This often occurs in the context of performing services for that controller.
For example, a third-party payment processor (TPPP) like PayPal, that processes payments on behalf of an online retailer.
Here, the retailer is a controller and the TPPP is a processor.
To slightly complicate the matter, the TPPP could also be a controller in this situation if it holds the contact details of a key contact or employee of the online retailer.
Other examples would be data storage businesses such as Amazon Web Services, businesses that organise customer information such as Salesforce and businesses that send out newsletters to customers such as MailChimp.
Each of these businesses deals with information on behalf of others and are, therefore, processors of data.
Businesses can be controllers of some information and processors of other information.
The distinguishing factor is who makes the decisions on:
- which information is collected; and
- how to use the information.
Data Processing Agreements
The GDPR requires that controllers and processors have an agreement in place with their respective processors and controllers.
Called a data processing agreement, this document should set out the way each party handles personal data.
Importantly, this allows controllers to ensure that processors adhere to the same obligations that they are required to uphold.
For example, a mobile app business that collects its users’ personal data is a controller.
The business may also use a developer to provide ongoing development for the app.
While building and updating the app, that developer may use and analyse the personal data originally collected by the app business.
Here, the developer is acting as a processor.
The app business will have obligations under the GDPR and will need to make sure that the developer will comply with these responsibilities.
To ensure that processors fulfil the privacy obligations of a controller, it is a good idea to use a data processing agreement that sets out how they must handle the personal data.
You can use our data processing agreement template
Can’t find what you are looking for?
This service is your service.
If there is content you cannot find on our Hub simply email us your request and we’ll get you sorted.
If there is content you cannot find on our Hub simply email us your request and we’ll get you sorted.
Other Guides in the series
Guides
Reporting a data breach: what are your obligations?
Written by:
Guides
Information to be provided to individuals under GDPR
Written by:
Guides
What to do if your business data is compromised
Written by:
Guides
What rights apply to employee photos?
Written by:
Guides
Data handling rules – and what GDPR means for small business
Written by:
Guides
Bad leavers: how to manage data and IP risks
Written by:
Guides
What does GDPR mean for your marketing activities?
Written by:
Guides
Essential steps to GDPR compliance
Written by: