Short answer: The difference lies in responsibility: the data controller determines the purpose and means of processing personal data, while the data processor acts only on behalf of the controller. Understanding this distinction is essential, as it directly affects your obligations, documentation, and GDPR compliance.
Why is the distinction important?
Knowing the difference between data processor and data controller is essential for companies that process personal data. This distinction is not only important to ensure compliance with data regulations such as GDPR, but also to define responsibilities and obligations between different parties in a data processing agreement. This blog aims to create clarity about the difference between data processor and data controller, so that you are aware of exactly what your role is in relation to data protection.
Did you know that data leaks that include personal data lead to customer loss and impact on business sustainability?
Ponemon Institute
What is a data controller?
A data controller is an entity (e.g. a company, organisation or public authority) which itself determines the purpose of the personal data at its disposal, as well as the means to process this personal data. In other words, it is the data controller who decides why and how personal data is to be processed. In general, you can say that you are a data controller if you can answer yes to the following:
- Do you determine the purposes for the processing of the personal data you have?
- Do you determine the means for the processing of the personal data you have?
- Are you responsible for complying with data protection legislation?
The data controller has the ultimate responsibility and is responsible to the persons whose data is processed. The data controller has the responsibility to the supervisory authorities to ensure that the personal data is processed in accordance with the law.
Need help managing personal data?
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
What is a data processor?
A data processor is an entity that processes personal data on behalf of the data controller. Data processors may be third parties or external service providers who perform tasks that include data processing. Their activities are limited to the specific tasks that the data controller has instructed them in, and they may not process the personal data for their own purposes. Typical examples of data processors include:
- IT providers who host and maintain data
- Payroll agencies that process employee information
- Cloud solutions and SAAS providers used by the company
The role of the data processor is more limited and focused compared to the data controller, and they may only act on instructions from the data controller.
What is a data processing agreement?
A data processing agreement, often referred to as DPA, is a legal contract that establishes the relationship between a data controller and a data processor. This agreement is a legal requirement when a company considered a data controller outsources the processing of personal data to a third party who then acts as a data processor. The agreement is necessary to ensure that both parties understand and comply with their legal obligations under data protection laws, such as the GDPR.
The data processing agreement serves several purposes:
- Clarification of roles and responsibilities: The data processor agreement specifies what the data processor is permitted to do with personal data and how the data must be handled
- Security measures: The data processor agreement describes the security measures that the data processor must implement to protect data and to ensure compliance
- Sub-processors: The data processor agreement regulates the use of any sub-processors, i.e. additional third parties that the data processor makes use of
- Data transfers: The data processing agreement sets out rules for the transfer of personal data to third countries or international organisations, if relevant
- The right to audit and inspection: The data processor agreement gives the data controller the right to carry out audits or inspections to ensure that the data processor complies with data protection legislation and the terms of the agreement
Stop the GDPR monster before it gets its hold of your personal data
FAQ on data controllers and processors
1. Who is responsible in the event of a data breach?
The data controller holds the primary responsibility – but the processor can also be held accountable if they fail to follow instructions.
2. Is a data processing agreement required?
Yes, it’s mandatory under GDPR. The agreement must outline rights, responsibilities, and security measures.
3. Can a company be both?
Yes, it depends on the context. For example, you may be a controller in one situation and a processor in another.
Looking for help with your data obligations?
We find that most companies act as data controllers. Unfortunately, many struggle to meet their responsibilities – not because they don’t want to, but because they lack a clear overview of which personal data they hold and where it is stored. Without that insight, it becomes difficult to assess risks, prioritise efforts, and ensure proper data protection.
That’s why we’ve developed a GDPR Risk Assessment. It helps you quickly identify where sensitive information is stored across your systems, where your vulnerabilities lie, and which areas require action. The assessment gives you a solid foundation for decision-making, enabling you to reduce the risk of data breaches and be far better prepared if something does happen.
Learn more
Sebastian Allerelli
Founder & COO at Safe Online
Sebastian is the co-founder and COO of Safe Online, where he focuses on automating processes and developing innovative solutions within data protection and compliance. With a background from Copenhagen Business Academy and experience within identity and access management, he has a keen understanding of GDPR and data security. As a writer on Safe Online's Knowledge Hub, Sebastian shares his expertise through practical advice and in-depth analysis that help companies navigate the complex GDPR landscape. His posts combine technical insight with business understanding and provide concrete solutions for effective compliance.
