SecureSlateSecureSlate
Book a DemoLog inGet started for free
Blog / GDPR
Back to GDPR

Data controller vs data processor: differences explained

by SecureSlate Team in GDPR
4.9(409 reviews)

Photo: Unsplash

Under GDPR, who decides why and how personal data is processed determines whether you are a data controller, data processor, or in some cases a joint controller. Getting the role wrong creates compliance gaps and contract disputes.

Related guides:

Key takeaways

  • Controllers determine purposes and means of processing; processors act on the controller’s documented instructions.
  • Controllers remain accountable to data subjects and regulators even when using processors.
  • Article 28 requires a written contract (DPA) with processors covering security, sub-processors, and assistance duties.
  • The same company can be a controller for one activity and a processor for another.

This guide covers:

  • Legal definitions of controller and processor
  • Side-by-side responsibility comparison
  • Data processing agreements and sub-processor chains
  • Joint controllership and common SaaS scenarios

When the contract says "you're the processor"

GIF via GIPHY

Controller and processor definitions

Role GDPR concept Plain-language summary
Data controller Article 4(7) Decides why and how personal data is processed
Data processor Article 4(8) Processes personal data on behalf of the controller

Example: A retailer (controller) uses a cloud email vendor (processor) to send order confirmations. The retailer sets the purpose (transactional email) and instructs the vendor; the vendor must not use the data for its own marketing without a separate lawful basis.

Responsibilities compared

Topic Controller Processor
Lawful basis Must establish and document Relies on controller’s instructions
Privacy notice Primary obligation toward data subjects Assists controller when needed
Data subject rights Leads responses; may delegate tasks Assists per DPA (Article 28(3))
Records of processing (RoPA) Maintains for controller activities Maintains for processing done on behalf of controllers
Security (Article 32) Responsible for overall processing Implements measures per contract
Breach notification Notifies authority; may notify individuals Notifies controller without undue delay
DPIAs Conducts when required Assists controller
International transfers Ensures lawful transfer mechanism Processes only per documented instructions

Processors must not engage another processor (sub-processor) without the controller’s specific or general written authorization and a flow-down contract.

DPAs and sub-processors

A Data Processing Agreement (DPA) is mandatory under Article 28. Minimum topics include:

  • Subject matter, duration, nature, and purpose of processing
  • Types of personal data and categories of data subjects
  • Controller instructions and processor confidentiality
  • Security measures and assistance with audits
  • Deletion or return of data at end of service
  • Sub-processor rules and liability allocation

Maintain a sub-processor register and change-notification process—especially for SaaS vendors using cloud infrastructure providers.

Joint controllers and grey areas

Joint controllers (Article 26) jointly determine purposes and means. They must define respective responsibilities in a transparent arrangement and inform data subjects.

Common grey areas:

  • SaaS platforms — often processors for customer content but controllers for account/billing data they determine themselves.
  • Marketplace models — platform and sellers may share decisions requiring legal analysis.
  • Analytics partnerships — shared tagging or audience building can blur roles.

When in doubt, map who decides each processing purpose in a RoPA and seek legal review for high-risk flows.

Get audit-ready with SecureSlate

SecureSlate helps track vendor DPAs, sub-processors, control evidence, and cross-framework mappings so controller/processor obligations stay visible across your compliance program.

Start free trial

FAQ

Can a processor become a controller?

Yes, if it begins determining its own purposes—for example, using customer data for unrelated product development without instructions and lawful basis.

Do processors need a privacy policy?

Processors should explain how they handle data in their role, but primary transparency duties toward end users usually sit with the controller unless the processor directly interacts with data subjects.

What happens if we lack a DPA?

Operating without Article 28 terms is a compliance violation and weakens liability protections in vendor relationships.

Disclaimer (legal note)

General information only—not legal advice. Controller/processor classification is fact-specific. Consult privacy counsel for contracts and role determinations.

Need compliance without the complexity?

SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.

Get started for free

No credit card required

Filed under: GDPR

Author: SecureSlate Team

Related blogs

Jun 1, 2026 · GDPR

A step-by-step guide to writing a GDPR privacy notice

SecureSlate Team

Jun 1, 2026 · GDPR

GDPR and HIPAA: key differences and similarities

SecureSlate Team

Jun 1, 2026 · GDPR

GDPR and USDP: similarities, differences, and impact on compliance

SecureSlate Team

View more posts
Jamie
Virtual Agent

Hi! I'm Jamie. Curious about your current compliance challenges and how automation might help your team?

DemoPrivacy Policy