The difference between a data controller and a data processor, and how to tell
The distinction between a data controller and a data processor is fundamental under data protection laws like the UK GDPR and EU GDPR. Here's how they differ and who defines them:
Controller vs Processor – The Key Differences
| Role | Data Controller | Data Processor |
|---|---|---|
| Definition | The party that determines why and how personal data is processed. | The party that processes data on behalf of the controller. |
| Decision-Making | Decides the purpose and means of the processing. | Acts only on the documented instructions of the controller. |
| Responsibility | Primarily responsible for compliance with data protection laws. | Must implement appropriate measures and follow controller's instructions. |
| Contracts Required? | Must have contracts in place with processors. | Must have a data processing agreement with the controller. |
| Direct Liability? | Yes. | Yes, but only for failing to follow instructions or breaching processor-specific obligations. |
Who Defines Whether You Are a Controller or Processor?
Ultimately, the actual role you play in a data processing activity defines your status — not what your contract says or what title you assign yourself. However:
The ICO (UK Information Commissioner's Office) or EDPB (European Data Protection Board) provides guidance on how to determine this.
You determine your role based on the facts:
- Who decides the purpose of the data processing?
- Who decides how it is carried out?
- Who has access to the data?
The ICO says: "A controller is the party that decides 'why' and 'how' personal data should be processed. A processor acts on the controller's behalf and under their instruction."
Example Scenarios
Controller: A retailer collecting customer data for marketing.
Processor: An email marketing company sending out campaigns on behalf of that retailer.
Joint Controllers: Two organisations jointly determine the purposes and means (e.g. a co-branded event registration system).