Data controller vs data processor

When processing personal data, you and/or your organisation will act as either a data controller or a data processor. Determining your relationship to the data you process is essential to maintaining compliance. While both controllers and processors have liabilities in relation to personal data, your responsibilities will vary depending on your status.  

Additional information on the difference between controllers and processors, and what these differences mean in practice, is available from the Information Commissioner's Office.

Data controller

The GDPR defines a data controller as "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data". 

In simple terms, the data controller decides what data to collect and why. The data controller also has ultimate responsibility over the personal data. 

The ICO provides a checklist for determining whether you (or the organisation you work for) are a data controller. If any of the following apply, you are likely the controller: 

 You decided to collect or process the personal data.

 You decided what the purpose or outcome of the processing was to be.

 You decided what personal data should be collected.

 You decided which individuals to collect personal data about.

 You obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller.

 You are processing the personal data as a result of a contract between us and the data subject.

 The data subjects are your employees.

 You make decisions about the individuals concerned as part of or as a result of the processing.

 You exercise professional judgement in the processing of the personal data.

 You have a direct relationship with the data subjects.

 You have complete autonomy as to how the personal data is processed.

 You have appointed the processors to process the personal data on our behalf.

You might share controller duties with another organisation if: 

 You have a common objective with others regarding the processing.

 You are processing the personal data for the same purpose as another controller.

 You are using the same set of personal data (eg one database) for this processing as another controller.

 You have designed this process with another controller.

 You have common information management rules with another controller.


Data processor

The GDPR defines a data processor as "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller".

A data processor is usually a third party (separate from the person/organisation who initially determined the purposes for processing) that collects, uses, or manages data based on instructions from the controller. A data processor can be held liable for mismanagement of personal data, so it is important that they understand and appropriately follow their obligations as laid out by both the GDPR and the data controller.

Some examples of third party data processors include -- but are not limited to -- Microsoft Office 365, Bristol Online Survey tool, a digitisation company, a transcription service, MailChimp, etc.

The ICO provides a checklist for determining whether you (or the organisation you work for) are a data processor. If any of the following apply, you are likely the processor:

 You are following instructions from someone else regarding the processing of personal data.

 You were given the personal data by a customer or similar third party, or told what data to collect.

 You do not decide to collect personal data from individuals.

 You do not decide what personal data should be collected from individuals.

 You do not decide the lawful basis for the use of that data.

 You do not decide what purpose or purposes the data will be used for.

 You do not decide whether to disclose the data, or to whom.

 You do not decide how long to retain the data.

 You may make some decisions on how data is processed, but implement these decisions under a contract with someone else.

 You are not interested in the end result of the processing.