What is Data Controller vs Data Processor?

A data controller determines the purposes and means of processing personal data (GDPR Article 4(7)), while a data processor processes that data only on the controller's documented instructions (Article 4(8)). The controller decides why and how; the processor acts as a service provider on the controller's behalf.

The distinction sets who is legally accountable. The controller bears the primary GDPR obligations — lawful basis, transparency, responding to data subjects — and must put an Article 28 contract in place with every processor. A typical small business is the controller of its customer and employee data, while its payroll software, email host and cloud CRM act as processors handling that data under instruction.

The trap is that a vendor which starts deciding its own purposes for the data — say, using your customer list to train its own products — becomes a controller for that activity and takes on its own liability. Roles can also be shared: two organisations that jointly decide purposes are "joint controllers."

Getting the role right shapes your contracts, your Record of Processing Activities and your breach-notification duties. A template DPA and processor checklist help you document the relationship correctly and fast — but the documents only reflect reality; you still have to operate within the role you've actually taken on.

Related terms: Data Processing Agreement (DPA) · Records of Processing Activities (RoPA) · Vendor Risk Management · Covered Entity vs Business Associate

Frequently asked questions

How do I tell whether I'm a controller or a processor?
Ask who decides why the data is processed and what is done with it. If your organisation makes those decisions, you are the controller. If you only act on another organisation's documented instructions, you are the processor.
Can one company be both a controller and a processor?
Yes. A SaaS provider is typically a processor for its customers' data but a controller for its own employee and billing records. The role is assessed per processing activity, not per company.
What contract is required between a controller and a processor?
GDPR Article 28(3) requires a written Data Processing Agreement (DPA) setting out the subject matter, duration, nature and purpose of processing, the types of data, and the processor's obligations.

Toolkits that cover Data Controller vs Data Processor

EU GDPR

GDPR Compliance Pack for Small Business

14 editable GDPR documents — privacy notices, DSAR procedure, DPIA, breach response, processor DPA checklist — plus a pre-filled Records of Processing Activities (Art. 30) workbook and evidence checklist.

$7930% off with codeView toolkit

Learn more in our GDPR guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.