I pronounce you Data Controller and Data Processor

A month has already passed since the day the new regulation on data privacy came into force.

After a pre-GDPR panic and what-should-I-do-now!? nightmares, the situation should be eased and clear to all by now.

Or maybe not…


A report published by Deloitte shows interesting statistics revealing the GDPR readiness status across Europe. Not too far back in 2018 there were still a lot of companies unsure about how the GDPR would have impacted their business activities, what within them and, only 15% of them were ready to be compliant before May 25th.

One thing, rather shocking, is also the fact that most of the companies, just a couple of months before the GDPR came into force, were not even aware of its existence!

Considering these circumstances, I wouldn’t doubt for a second that there is quite a lot of uncertainty out there. Especially, I would say, when it comes to understand specific roles and responsibilities.

The GDPR highlights the differences between Data Controller and Data Processor, outlining the distinct obligations and roles that the two parties have. Nevertheless, the interpretation of the regulation and lack of guidance have been raised as major issues, specifically for Article 29 Working Party of the regulation. On top of this, when it comes to business relations the situation is quite complex; in most of data-related activities, it is not always easy to determine whether a company is a Controller or Processor.

Think about this:

A university wants to collect information about its student with the purpose of elaborating estimates about the university population: percentage of international students, average age and performance.

It hires a survey service provider for data-processing the data to deliver results to the university.

At the same time the survey service provider makes use of these data to target a specific segment of students for its marketing purposes.

So, who’s the Data Processor and who is the Data Controller here?

We know that many companies don’t know yet what they are responsible for and are struggling to keep performing their activities as they fear not complying with the new regulation, and for these reasons, we would advise you to read this article which aims to clarify some key points.


Why is it important?

Before trying to understand the differences, the first step to take is to clarify why making a distinction between the Data Controller and the Data Processor is important.

Data processing activities are particularly sensitive, as they involve personal data and concern real people. For this reason, it is quite crucial to avoid any gap in organizations’ responsibilities. That is, avoid that data subjects’ requests get disregarded because roles and responsibilities are not defined between data controllers and data processors.

Furthermore, in the instance of a data breach, it is essential that the parties involved have a clear agreement on where responsibilities lay. As this will allow to simplify the process of determining who is liable for what. This division of responsibilities should be agreed on at the very early stage of the relationship between data controller and data processors, to guarantee a smooth progression of business activities.

Definitions, Roles & Responsibilities

Article 4 (par. 7 – 8) of the regulation provides the definitions of Controller and Processor, clearly highlighting the substantial difference between the two:

  • controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

The Data Controller is the one who chooses what the data is used for and how to process it.  Whereas, the Data Processor is the one that follows the instruction of the Data Controller and elaborate systems to implement data processing.

Further exemplifications of the roles of these two parties can be found in Article 24 and Article 28 of the new regulation. More details are given regarding, respectively, the obligations of the Data Controller, and the guidelines of actions and obligations towards the Controller for the Data Processor. They are both summarized here below.


Obligations of Data Controller

The Controller is subject to two principles: Data Protection by Design and Data Protection by Default.

The first stating that at the time of determining the purpose of data processing (data planning) and at the time of data processing (execution time) Controllers are advised to implement processes and take specific security measures in order to carry out data-related activities in compliance with the GDPR. This implies that the Controller is responsible for:

  • Assessing risk for people’s rights and freedoms;
  • Implementing proper security measures to guarantee data protection;
  • Elaborating and adhering to codes of conduct.

The second principle, Data Protection by Default, points out the fact that Controllers should only process personal data serving a specific purpose, should collect data only if necessary and store them for a determined duration. This means, the Controller is responsible for:

  • What data to collect;
  • Where to store data, for how long and when to dispose;
  • How to use data and for which purposes.

A further obligation of Data Controller is to ensure that the party chosen to be their Data Processor can guarantee and demonstrate its compliance with the GDPR.


Obligations of Data Processor

The data processor is mainly responsible for complying with instructions dictated by the data controller. It has no decisional power on what data to process, how to process it nor for which purpose. However, it has the key obligation to ensure and to help the data controller to perform its activities in compliance with GDPR. It is, therefore, mainly responsible for:

  • Operating only under the instruction of the Data Controller – this also affects the use of other Processors, which need to be approved by the Controller;
  • Implementing the right IT system to allow the Data Controller to collect data and fulfill its purposes;
  • Implementing and assisting Data Controller to implement proper security measures to guarantee data protection – this includes ensuring confidentiality by those individuals who access data from the processor’s side.
  • Assisting the controller in responding to any requests concerning the exercise of data-subject’s rights.
  • Assisting the controller to be compliant with the GDPR.
  • Being able to delete any personal data if required by controller.
  • Adhering to codes of conduct outlined by the controller.


Joint Controllers

The regulation also recognizes the eventuality in which two companies perform as data controllers of the same data, a.k.a. Joint Controllers (Articles 26).

This occurs when more than one party is involved in determining the purpose and means of data processing. It is required for the joint controllers to fulfill the followings.

  • They should be able to determine their respective responsibilities, compliance and obligations towards individual’s rights; this all in a clear, unambiguous and transparent manner.
  • The responsibilities of each controller are determined by the EU/member state laws to which the controllers are subjects.
  • Data subjects need to be made aware of the responsibilities and duties that each controller has according to the arrangements made among controllers. This way, data subjects will know which of the controller to reach out to for complaints and/or requests.

However, it is important to outline that the distribution of responsibilities does not release a company from the responsibilities it has towards data subject, as the regulation clearly states that any data controller is liable for any damage occurred during processing activities, unless proven that it is no way responsible. (Article 82)

In conclusion, what you need to remember is that if you are deciding for what purposes and the means through which the data is collected, processed and stored, you are the data controller. If you need instructions before performing any data processing activity, you are the data processor. However, the lower the level of supervision provided by Data Controller on Data Processor, the higher the likelihood of Data Processor becoming co-controller of data.

Hoping that this brief article helped you to identify the key differences between the two roles, if there is anything in this article that you believe requires rectification, please do not hesitate to get in contact.

However, I find extremely important to stress on the fact that this is not an official document from EU. Therefore, we strongly advise you to get in contact with your legal advisor before making any action.


To make it clearer I gathered some examples, which address various circumstances and should help you to further understand your role and responsibilities in the GDPR context. Check out here


S2M can help you build your GDPR-compliant lead list!  Click here to find out more.


Startup Loans – Are you a Controller or a Processor?