Punit Bhatia

What is Data Controller and Data Processor in EU GDPR?

Drag to resize

To ensure compliance with the EU GDPR, it is essential to understand the difference between a Data Controller and a Data Processor. The choice of whether your company is a data controller or data processor has an impact on the responsibilities and obligations your company shall have. In this article, we help you with a clear perspective on these topics so that your company can process personal data in a privacy-compliant way.

What is meant by Data Processor?

Data Processor is a legal entity or a natural person who processes the personal data of individuals on behalf of the data controller without having any decision-making power over – what data to collect and process? They can make their own operational decisions but will always perform their duties as per the instructions received or the terms of the contract, they have signed with the Data controller. In short, the key responsibility of a data processor is to ensure the processing of personal data in line with the contract made with the data controller.

A data processor can further outsource or give a part of its work to another company, which is then known as a “sub-processor”. This sub-processor is again bound by the contract terms to which the data processor has agreed with the data controller. It works as an extension of data processor's obligations.

What is meant by Data Controllers?

Data Controller is a legal entity, natural person, or an agency that controls the rights of personal data and is the final decision-maker about the collection and processing of personal data of individuals. This entity is the owner of the data and determines the purposes and means of processing personal data. The key responsibility of the data controller in the context of this article is that the data controller ensures all personal data processing activities, the expected security measures, and all data protection obligations are listed in a written contract that is signed by both parties.
When two or more entities decide on the purpose of data collection and takes a joint call on the means of processing the same, they are known as Joint controller or co-controllers. Here, both entities are jointly responsible for protecting personal data and will be jointly liable to face action in case of any security breach. 

Legal obligations of the data controllers and data processors

The data controller is obligated to adhere to EU GDPR terms and secures the personal data of individuals. Data processors on the other hand must adhere to the terms of their agreement with the data controller, which in turn will be in line with GDPR. Some key differences in legal obligations would be:
  • the controller notifies a personal data breach to the data protection authority while the processor would notify the DPO of the controller as per the contract
  • the controller may need to perform a Data Protection Impact Assessment (DPIA) on personal data processing activity while the processor's role would be to support in this
  • the controller would need to answer data subjects when they exercise their rights while the processor would follow its contract and may ask data subjects to contact the controller.
  • the controller can ask the processor to demonstrate compliance with EU GDPR

Example: Restaurant is celebrating its 100th anniversary

A local restaurant is planning to celebrate its 100th anniversary by organizing a 10-day food festival. The owner of the restaurant decides to outsource the work of invitations to a local event management company and hand over the list of its patrons with names, and email addresses. In this scenario, since the data of the patrons will be processed for an invitation by the event management company, it is acting as a data processor. Herein, the event company is neither the owner of the data namely – the names, and contact details of patrons, nor decided the purpose of processing this data. Data processing in form of sending invitations to the patrons is on the specific instructions of the restaurant owner. Therefore, the event management company is the data processor.  Naturally, the restaurant determines the purposes of the processing. Therefore, the restaurant is the data controller.

How do you know your company's role?

To identify the correct role of your company, you can consider the following questions:
  • Does you decide on what personal data to collect?
  • Do you decide the purpose of processing personal data?
  • Does you decide the duration of data retention or storage for personal data?
If you could answer the above questions as "yes", your company's role is the data controller. Remember it is possible for two companies to be joint controllers when they collectively decide on the collection and processing of personal data.
And, if your company processes personal data and can answer the following questions as "yes" for that personal data processing, it has the role of processor or sub-processor:
  • Are you processing data on behalf of another organization?
  • Are you processing the data as per the instructions, obligations, or as per the terms of the contract?
A careful assessment based on the above questions will help you to ascertain the right EU GDPR role and proceed further with defining the contractual obligations so that both companies can ensure data protection in the data processing activities.


When your company aims to work with another company, it is important to clearly state the role i.e., who is a Data Controller and who is a Data Processor. Of course, it may be that a companies have the role of the joint controllers or maybe they are sub-processors. While you do this, also define what personal data is being processed, the purpose of processing, and the expected measures to ensure personal data protection. Doing so will help you to demonstrate compliance. And, if you need help in doing this, our data protection consultant can help you.

Go to The GDPR Page

About Punit Bhatia

Punit Bhatia is one of the leading privacy experts who helps CXOs and DPOs to identify and manage privacy risks by creating a privacy strategy and implementing it through setting and managing your privacy program and providing scenario based training to your key staff.  In a world that is digital, AI-driven, and has data in the cloud, Punit helps you to create a culture of privacy by establishing a privacy network and training your company's management and staff. 
For more information, please click here.

Listen to the top ranked EU GDPR based privacy podcast...

Stay connected with the views of leading data privacy professionals and business leaders in today's world on a broad range of topics like setting global privacy programs for private sector companies, role of Data Protection Officer (DPO), EU Representative role, Data Protection Impact Assessments (DPIA), Records of Processing Activity (ROPA), security of personal information, data security, personal security, privacy and security overlaps, prevention of personal data breaches, reporting a data breach, securing data transfers, privacy shield invalidation, new Standard Contractual Clauses (SCCs), guidelines from European Commission and other bodies like European Data Protection Board (EDPB), implementing regulations and laws (like EU General Data Protection Regulation or GDPR, California's Consumer Privacy Act or CCPA, Canada's Personal Information Protection and Electronic Documents Act or PIPEDA, China's Personal Information Protection Law or PIPL, India's Personal Data Protection Bill or PDPB), different types of solutions, even new laws and legal framework(s) to comply with a privacy law and much more.
Created with