GDPR Data Controllers vs Processors: What’s the Difference?

Table of Contents

When it comes to GDPR compliance, it’s important to know your business’s responsibilities regarding personal data protection. This includes determining whether your business is a data controller or data processor, as the responsibilities differ for each.

A record of €2.1 billion in GDPR fines was administered in 2023, and the number is rising each year. If you don’t want your business to be part of this statistic, it’s important to understand your role as a data controller or processor, as well as the corresponding GDPR guidelines.

Read on for a complete breakdown of the difference between data processors and controllers, what responsibilities each carries, and how to implement them for GDPR compliance.

GDPR Data Controllers vs Processors: What’s the Difference?

The GDPR lays down clear definitions for most roles related to personal data, and it does the same in this case. Let’s explore the definition of each term:

Data Controller Definition

Article 4 of the GDPR defines a data controller as a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

From this definition, we can define a data controller as either an individual, business, or organization that determines the:

Purpose of processing personal dataWhy the data needs to be collected, processed, and what it will be used for.

Means of processing personal dataThis covers the method of data processing, the parameters for data collection, and what tools or third parties will be processing the data.

Data controllers have more authority over how the data is used, but they are also fully responsible for following the data protection standards of the GDPR.

Let’s assume your business sells a software subscription for which you have to get consumer personal information such as their name, email, etc. If you’ve done your due diligence, and implemented a data minimization approach in the collection process, it’s up to your business to decide which data to collect.

You’ll also be able to choose what means you want to collect or process the data, whether through a third-party application or a website or marketing integration.

In short, if your business has full control over why and how the data is processed, you’re a data controller.

Data Processor Definition

While a data controller has full control over why data is processed and how it’s processed, a data processor is only responsible for processing the data. But what is meant by “data processor” and “data processing?”

Article 4 of the GDPR defines processing as “any operation or set of operations which is performed on personal data”. This covers everything from collection and recording to storage and even destruction of data.

Under the same article, the GDPR outlines the definition of a data processor as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

The definition makes two things clear:

A data processor has to be a “body” such as a person, business, or organization.

The data processor only processes the data but it’s the responsibility of the controller to determine the how and why of the process.

Let’s take the previous example of a company providing subscription-based software. While the business can choose a third party for collecting consumer sign-up data, the third party is simply a processor- it can’t determine which information to collect.

Roles and Responsibilities of GDPR Data Controllers vs Data Processors

Since the bulk of the decision-making is done by the data controller, it’s more liable for protecting personal data and sensitive information. However, the GDPR places the responsibility of protecting personal consumer data on all involved parties, and data processors are not exempt.

Data Controller Responsibilities

Since data controllers have more authority over data processing, they also have more obligations. If you are a data controller, you’ll have to:

Conduct Data Protection Impact Assessments

All data controllers are required to conduct data protection impact assessments before assigning data processing activities that involve personally identifiable information or sensitive data. Your impact assessment will depend on the industry, as well as the type and scale of data processing.

These assessments usually cover the reason for data processing, the methods used, and an evaluation of risks of potential data leaks.

Follow Adequate Third-Party Risk Assessment Procedures

Article 24 of the GDPR requires data controllers to do adequate risk assessments. According to Article 76, businesses should determine the nature and severity of the risk based on the “nature, scope, context and purposes of the processing,” and the risk assessment should be objective.

Follow GDPR Compliant Data Security Practices

Risk assessments are important for controllers to understand where the lack is in their data security. However, you’ll need to mitigate cybersecurity and other data risks through compliant data security practices.

Data security practices include:

Data privacy training for employees

Use encryption and anti-malware software

Appointing a data protection officer

Establishing data access restrictions

Doing adequate data mapping

Keep Adequate Data Processing Records

The GDPR requires businesses to keep data processing records when processing personal information. These records contain everything from the purpose of data collection and processing to risk assessment results and an overview of any data security measures your business may have implemented to mitigate the risk.

Notify the Relevant Authority in Case of a Data Breach

Even though you aren’t directly involved in processing the data as a data controller, you’re still responsible for keeping records of data breaches. Data controllers also have to inform the relevant regulatory authority in case of a breach.

The GDPR requires data controllers to inform the relevant authority within 72 hours of being made aware of the breach.

Data Processor Responsibilities

While previous data protection law covered the legal obligations of data controllers in detail, the GDPR also lays out the responsibilities of data processors.

As a data processor, you’ll have to:

Follow the Data Controller Processing Instructions

If your business is a data processor, your first responsibility is to follow the data processing instructions of the data controller as outlined in the data contract. If the data controller hasn’t provided any guides on how to process the data, the data processor should keep GDPR regulations in view.

At Captain Compliance, we help data controllers and processors ensure that their processing activities are GDPR-compliant. Get in touch for a free consultation today.

Ensure GDPR Data Security Measures

According to Article 83 of the GDPR, data processors can also be fined if they fail to implement proper data security measures. This includes cybersecurity compliance, data risk assessments, and other security protocols.

It’s not enough to follow the instructions of the data controller and overlook essential data security guidelines.

Notify the Controller in Case of a Data Breach

While data controllers are responsible for notifying the regulatory authority in case of a data breach, data processors should notify the data controller. Failing to do so could result in significant fines.

Keeping Data Processing Records

Data processors are also required to keep records of processing activities. These records contain information similar to that of the data controller, but they should also outline the security measures taken by the processor and how they comply with Article 32 of the GDPR.


What is a Joint Data Controller?

A joint data controller is a business that jointly determines the reason and method of data processing with another business. For businesses to be joint data controllers, they should have the same purpose for data processing.

Read more about the importance of data discovery governance.

Does My Business Need a Data Protection Officer?

Your business only requires a data protection officer if you process large-scale data, sensitive data, or are a public body. However, it’s important to have a data protection officer do a data processing risk evaluation.

Learn more about third-party risk evaluations in this article.

Can a Data Processor Subcontract Data Processing Activities?

A data processor can subcontract data processing activities, but both parties should have an agreement that’s the same as the one between the original data processor and data controller. The sub-contractor is referred to as a “sub-processor.”

Need to set up a data processing contract? Captain compliance can help.

How Can Data Controllers Ensure GDPR Compliance?

Data controllers can ensure GDPR compliance through regular risk assessments, data audits and by following GDPR-compliant data collection and storage processes. They should also do due diligence when selecting a third party for data processing.

Read this guide on due diligence when choosing third-party data processors.

How Can Captain Compliance Help You?

With the number of GDPR fines increasing yearly, it’s important to ensure your business is compliant. At Captain Compliance, we understand the need for data compliance for both data controllers and processors.

We’ll help your business achieve GDPR compliance through data protection impact assessments, regular data audits, risk evaluations, setting up data contracts, and other key data security activities.

Schedule your free consultation with our data experts today!

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo with a compliance SuperHero or get started today.