What is a data controller and a data processor?
When a company, public authority, institution, or individual processes personal data, it is crucial to understand the roles involved in data processing. The General Data Protection Regulation (GDPR) defines two key roles: the data controller and the data processor. The data controller determines the purposes and means of processing personal data, ensuring lawful processing and compliance. Identifying whether your organization is a data controller, a data processor, or both is essential for compliance with data protection laws.
Understanding personal data processing
Personal data processing includes various actions such as collecting, storing, transmitting, or modifying personal data. Since GDPR applies only to natural persons (not legal entities), businesses and organizations must ensure that their handling of personal data aligns with regulatory requirements.
Before processing personal data, it is vital to clarify the roles and responsibilities of the involved parties. If responsibilities are unclear, organizations risk non-compliance, which can lead to severe legal and financial consequences. For example, a doctor's office and an accountant must determine the purposes and means of personal data processed in their respective operations to fulfill their responsibilities as data controllers. Want a quick overview of GDPR and its key principles? Learn about GDPR in just five minutes.
What is a data controller?
A data controller determines the purpose and means of personal data processing. In other words, the data controller decides why and how data should be processed.
To manage data protection responsibilities and ensure compliance, both data controllers and processors may appoint a data protection officer.
Responsibilities of a data controller
-
Ensuring compliance with GDPR regulations
-
Establishing legal grounds for data collection and processing
-
Implementing security measures to protect personal data
-
Responding to data subject requests, such as access, correction, or deletion of data
-
Notifying data breaches to promptly inform the data controller about any data breaches
If personal data is processed incorrectly – such as handling inaccurate data – the data controller is held accountable and may face penalties.
Example of a data controller
A company that collects customer data for marketing purposes determines how and why the data is used. This makes the company a data controller.
The importance of a data processor agreement
A data processor agreement (DPA) is a legally binding document that establishes the relationship between the data controller and data processor. The agreement must outline how data should be processed and the security measures required.
Supervising data processors
A data controller must oversee and ensure that a data processor complies with GDPR regulations. Supervision methods include:
-
Independent reports: The data processor provides compliance reports.
-
Third-party audits: An external auditor reviews the processor’s security and compliance.
-
Direct monitoring: The data controller audits the processor’s activities, either remotely or in person.
For high-risk personal data processing, audits should occur every six months. For lower-risk data, an annual review may suffice.
What is a joint data controller?
In some cases, multiple entities share responsibility for data processing. This is known as joint data controllership.
Example of joint data controllers
If an airline, a hotel agency, and a travel agent jointly manage customer data to offer package deals, they share responsibility for processing the data. In such cases, all parties are accountable for GDPR compliance.
Liability and accountability in data processing
In the realm of data processing, understanding the distinct liability and accountability roles of data controllers and data processors is crucial. Under the General Data Protection Regulation (GDPR), data controllers bear the ultimate responsibility for ensuring compliance with data protection laws. This means that data controllers must establish and enforce data protection principles, ensuring that personal data is processed lawfully, transparently, and securely.
Data processors, on the other hand, are liable for their own compliance with the GDPR. They must adhere strictly to the data controller’s instructions and implement appropriate technical and organizational measures to safeguard personal data. If a data processor fails to comply with GDPR requirements or experiences a security incident, they can be held accountable for their actions.
In scenarios where multiple entities share responsibility for data processing, known as joint controllership, all parties involved share liability and accountability. Joint controllers must work together to ensure that data processing activities comply with GDPR standards and that data subjects’ rights are protected.
Data controllers have a duty to ensure that their data processors comply with GDPR regulations. This includes taking proactive measures to prevent security incidents and protect sensitive information. In the event of a security compromise, swift action is critical – discover how data breaches occur and their potential consequences. Explore data breaches in detail.
Both data controllers and data processors must cooperate to ensure compliance with data protection laws. This collaboration includes maintaining accurate records of data processing activities and being able to demonstrate adherence to data protection principles. By working together, data controllers and processors can effectively manage their data protection obligations and safeguard the personal data they handle. Understanding who should have access to personal data is a key aspect of this responsibility – learn more about how personal data should be managed and protected. Read more about personal data access.
Key takeaways for data controllers
-
A data controller determines why and how personal data is processed.
-
A data processor processes data on behalf of the controller.
-
A data processor agreement (DPA) is mandatory.
-
The data controller must monitor the processor’s compliance.
-
In case of joint controllership, all parties are liable for GDPR violations.
By clearly defining roles and responsibilities, organizations can ensure compliance with GDPR and protect personal data effectively.
This post has been updated on 19-03-2025 by Sarah Krarup.

Sarah Krarup
Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.
View all posts by Sarah Krarup