GDPR Controller vs Processor

With the General Data Protection Regulation (GDPR) coming into force on 25 May 2018, companies must ensure that they are compliant. Regarding personal data, the regulation states that:

“Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which are collected together can lead to the identification of a particular person and also constitute personal data.

Personal data that has been de-identified, encrypted, or pseudonymized but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.” Source:

If we think about the amount of data we can collect from users on the internet, we are faced with the responsibility to comply with the regulation and the duty to be fair, transparent, and trustworthy. This is where the most important figure in data storage comes in, the data controller, and what is the role of the GDPR controller?

Collect data for specified, explicit, and legitimate purposes, only use personal data for the purpose for which it is collected. Ensure that personal data are accurate and up to date, taking into account the purposes for which they are processed, and correct them if they are not. It should also ensure that personal data is not stored longer than necessary for the purposes for which it was collected. And it must install appropriate technical and organizational safeguards to ensure the security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technology to prevent, for example, unwanted leaks, theft of data, etc.

But, within GDPR compliance, apart from the figure of the gdpr data controller, another term appears, the gdpr data processor. So, what is the difference between gdpr controller vs. processor and what are the responsibilities of both?

A data controller is a person or organization that determines the purposes and means of processing personal data. They are responsible for deciding why and how personal data is collected, processed, and used. The data controller is also responsible for ensuring that the processing of personal data is done in accordance with data protection laws.

A data processor, on the other hand, is a person or organization that processes personal data on behalf of a data controller. They only process the personal data for the specific purposes that have been agreed upon by the data controller. Data processors are not responsible for determining the purposes or means of processing personal data, but they are still required to comply with data protection laws.

Who is the controller in GDPR and what are their responsibilities?

In a company, the data controller will be tasked with:

Collect the personal information of its customers, and website users, and must have the legal authority to do so.

Deciding where and how to use the data and for what purpose.

Keeping the data internally or sharing it with third parties. Also deciding with whom to share the data.

Establishing how long the data is kept and when to dispose of it.

Who is the processor in GDPR and what are their responsibilities?

A data processor is one who carries out the actual processing of data under the specific instructions of the data controller.

It is the one to whom the data controller instructs or assigns the task of doing, for example, any of the following:

Design, create and implement processes and systems that enable the data controller to collect personal data.

Use tools and strategies to collect personal data.

Implement security measures to safeguard personal data.

Store personal data.

Transferring data to another organization and vice versa.

And when comparing GDPR processor vs. controller?

Quickly and comparatively, GDPR controllers vs processors, two have different roles and responsibilities.

For some companies, the distinction might not be as clear as in the explanation above.

Whereas with the gdpr data controller we mean the natural or legal person, public or private, who decides on aspects of the processing of personal data such as the purpose and use of the data or the retention periods.

By the gdpr data processor, we mean the service provider who, whether internal to the company or contracted by the data controller (in an external company), must access the personal data for processing and which is the responsibility of the data controller. In fact, simply accessing or viewing the data already implies “processing” as, for example, in the case of suppliers providing maintenance or IT support services. Although they do not have to handle personal data for the provision of the service, they are considered as gdpr data processors.

What is a GDPR controller and processor of a company?

Let’s say we are a tourism website and we ask for data such as email addresses from users who register. Once they give us their data, we collect it, classify it and assign a purpose, storage, and processing; we decide to send a newsletter. Here we have moved from analyzing the data to processing it. From how to use them to execute the decision. From the data controller to the data processor. And as a final bonus, the “data controller” is responsible for ensuring that “data processors” have measures in place to comply with the GDPR. In addition, the “data controller” has the responsibility to demonstrate compliance with the GDPR.

This is how a security cycle is established in the processing, storage, and use of our data in any company within the GDPR umbrella.

The main tasks of a data controller include:

Determining the purposes for which personal data is collected, processed, and used.
Ensuring that personal data is collected, processed, and used in compliance with data protection laws and regulations.
Providing clear and concise information to data subjects about how their personal data is being used and processed.
Ensuring that the rights of data subjects are respected and protected, such as the right to access, rectify, and erase personal data.

The main tasks of a data processor include:

Processing personal data on behalf of the data controller and only for the purposes specified by the data controller.
Implementing appropriate technical and organizational measures to protect personal data from unauthorized access, destruction, or disclosure.
Maintaining accurate and up-to-date records of data processing activities.
Cooperating with the data controller to ensure compliance with data protection laws and regulations.