Skip to main content

Why is the distinction important?

Knowing the difference between data processor and data controller is essential for companies that process personal data. This distinction is not only important to ensure compliance with data regulations such as GDPR, but also to define responsibilities and obligations between different parties in a data processing agreement.

This blog aims to create clarity about the difference between data processor and data controller, so that you are aware of exactly what your role is in relation to data protection.

What is a data controller?

A data controller is an entity (e.g. a company, organisation or public authority) which itself determines the purpose of the personal data at its disposal, as well as the means to process this personal data. In other words, it is the data controller who decides why and how personal data is to be processed. In general, you can say that you are a data controller if you can answer yes to the following:

  • Do you determine the purposes for the processing of the personal data you have?
  • Do you determine the means for the processing of the personal data you have?
  • Are you responsible for complying with data protection legislation?

The data controller has the ultimate responsibility and is responsible to the persons whose data is processed. The data controller has the responsibility to the supervisory authorities to ensure that the personal data is processed in accordance with the law.

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

What is a data processor?

A data processor is an entity that processes personal data on behalf of the data controller. Data processors may be third parties or external service providers who perform tasks that include data processing. Their activities are limited to the specific tasks that the data controller has instructed them in, and they may not process the personal data for their own purposes. Typical examples of data processors include:

  • IT providers who host and maintain data
  • Payroll agencies that process employee information
  • Cloud solutions and SAAS providers used by the company

The role of the data processor is more limited and focused compared to the data controller, and they may only act on instructions from the data controller.

What is a data processing agreement?

A data processing agreement, often referred to as DPA, is a legal contract that establishes the relationship between a data controller and a data processor. This agreement is a legal requirement when a company considered a data controller outsources the processing of personal data to a third party who then acts as a data processor. The agreement is necessary to ensure that both parties understand and comply with their legal obligations under data protection laws, such as the GDPR.

The data processing agreement serves several purposes:

  • Clarification of roles and responsibilities: The data processor agreement specifies what the data processor is permitted to do with personal data and how the data must be handled
  • Security measures: The data processor agreement describes the security measures that the data processor must implement to protect data and to ensure compliance
  • Sub-processors: The data processor agreement regulates the use of any sub-processors, i.e. additional third parties that the data processor makes use of
  • Data transfers: The data processing agreement sets out rules for the transfer of personal data to third countries or international organisations, if relevant
  • The right to audit and inspection: The data processor agreement gives the data controller the right to carry out audits or inspections to ensure that the data processor complies with data protection legislation and the terms of the agreement

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.

Looking for help with your data obligations?

For companies, it is important to have a clear understanding of the roles of data controller and data processor to ensure that you have the necessary work processes in place. It is not only a question of following the data rules, but also of building trust with customers and users by showing a serious approach to data protection.

We find that most companies are data controllers. Unfortunately, we also see that many companies find it difficult to live up to their responsibility as data controller. The problem for many is that they have no idea how to started cleaning up the personal data they store. In Safe Online, we have developed DataMapper, which is a Data Discovery tool that precisely helps to get track of your sensitive data by locating sensitive files across the company’s data systems.

Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →


How to handle sensitive personal data


How to find personal data with datamapping tool


How to prepare for a data audit