What are controllers and processors?

Published: August 30th, 2019

Author: Matt Quinn

Categories: GDPR


Organisations need to be sure they have reviewed their data processing activities fully in order to determine which parts of the General Data Protection Regulation (GDPR) are applicable. Not all provisions apply to all organisations. One important distinction in the GDPR is that between ‘data controllers’ and ‘data processors’. This distinction exists in order to recognize that not all organisations involved in the processing of personal data have the same degree of responsibility.   

Briefly, if you are a controller, you are responsible for complying with the GDPR (Article 5(2)) – you must be able to demonstrate your compliance with the data protection principles (Article 5(1)), and take appropriate organizational and technical measures (Article 5(1)(f)) to ensure your processing is in line with the GDPR.    

If you are a processor, you have more limited compliance responsibilities.  

What is a data controller? 

The GDPR defines a controller as: 

the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” –  Article 4(7)  

The ICO puts it rather more simply: “controllers make decisions about processing activities. They exercise overall control of the personal data being processed and are ultimately in charge of and responsible for the processing.” 

A controller can be a company or other legal entity (e.g. an incorporated partnership, incorporate association or public authority), or an individual (such as a sole trader or self-employed professional). 

However, as mentioned in our What is GDPR article, an individual processing personal data for the purposes of a purely personal or household activity is not subject to the GDPR. 

What is a data processor? 

The GDPR defines a processor as:  

“’processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller” – Article 4(8)  

What this means in practice is that the processor is organisation responsible for carrying out the processing operations of a controller (they are usually a third party external to the controller). While a processor may make its own day-to-day operational decisions, the ICO note that “Article 29 says it should only process personal data in line with a controller’s instructions, unless it is required to do otherwise by law.”  

If a processor acts without the controller’s instructions and does so in a manner that it “determines the purposes and means of the processing”, it will be a controller in respect of that processing and will have the same liability as a controller.  

An Example  

The European Commission have a good example on their website  to help illustrate the difference between a controller and processor that is worth quoting in full:  

“A brewery has many employees. It signs a contract with a payroll company to pay the wages. The brewery tells the payroll company when the wages should be paid, when an employee leaves or has a pay rise, and provides all other details for the salary slip and payment. The payroll company provides the IT system and stores the employees’ data. The brewery is the data controller and the payroll company is the data processor.” 

Can my organisation be both a controller and a processor? 

Yes. As the ICO advise, this is most likely if you are a processor who provides services to other controllers (much like the payroll company in the example above). In this case “you are very likely to be a controller for some personal data and a processor for other personal data. For example, you will have your own employees so you will be a controller regarding your employees’ personal data.” However, it is important to keep in mind that you cannot be both a controller and a processor for the same processing activity.    

What should my organisation do next?   

As is hopefully clear, the nature of your GDPR obligations will depend on whether you are a controller or processor. Therefore it is vital you thoroughly review you role in respect of your current (and potential future) data processing activities.  

At Apomatix, we have an automated solution that will help you quickly and efficiently assess your GDPR compliance obligations. You can then use our platform to treat any outstanding items.   

Understand your risks. Reduce the impact. Protect your business.

Apomatix’s Powerful Risk Management Software to help you understand, fix and manage all your organisation’s risks.