The Core Difference: Purpose Versus Execution
Every organisation handling personal data under the General Data Protection Regulation (GDPR) acts as either a data controller or a data processor. This legal distinction dictates your obligations, your liability during a breach, and the specific contracts you must sign.
The data controller decides the "why" and the "how" of data processing. When a user creates an account on your website, you determine what details to collect and how long to store them. You hold the primary responsibility for ensuring that this processing relies on a valid legal basis. If a regulatory authority investigates a data flow, they look at the controller first.
A data processor simply carries out technical operations on the controller's behalf. They provide the infrastructure, such as cloud hosting or email delivery software, but do not dictate the ultimate purpose of the data collection.
Misclassifying your role leads to severe regulatory consequences and invalid contracts. Many companies assume they are processors simply because they provide a B2B software service. If that service uses client data to train its own machine learning models or improve its internal algorithms, the provider has determined a new purpose for the data. Under European Data Protection Board (EDPB) Guidelines 07/2020, this independent decision-making instantly elevates the provider to controller status. Regulators examine the factual reality of the data flow, not just the title written in a contract.
You must understand your exact legal position before drafting privacy notices or signing vendor agreements.
What Is a Data Controller?
Article 4(7) of the GDPR defines a controller as the natural or legal person, public authority, agency, or other body which determines the purposes and means of processing personal data. The controller bears the highest level of compliance responsibility.
You must ensure that data is collected lawfully, transparently, and securely. When a user submits a subject access request (SAR) or asks for their data to be deleted, the obligation to fulfil that request rests squarely on your shoulders. You must also report data breaches to your relevant Data Protection Authority (DPA) within 72 hours of becoming aware of the incident.
Controllers cannot simply outsource their liability. Hiring a third-party vendor to handle your data does not absolve you of responsibility. You must vet your vendors carefully and ensure they provide sufficient guarantees to implement appropriate technical and organisational measures.
Real-World Examples of Controllers
Identifying a controller is usually straightforward in a direct business-to-consumer relationship. An e-commerce website collecting shipping addresses is a controller. A bank processing mortgage applications is a controller.
The lines become complex when using external software. If you install an analytics script on your website to track visitor behaviour, you decide to collect that data to improve your marketing. You are the controller of that analytics data. The software company providing the dashboard acts as your processor, assuming they only use the data to provide the service to you. If you are unsure which third-party scripts are operating on your site, checking your features page setup or running a comprehensive cookie scan is a necessary first step.
What Is a Data Processor?
Defined in Article 4(8), a processor handles personal data strictly on behalf of the controller. Processors include cloud service providers, payroll companies, IT support agencies, and email marketing platforms.
A true processor does not decide what data gets collected. They do not decide the retention period, nor do they use the data for their own independent marketing. They act entirely on the documented instructions provided by the controller.
While processors have fewer direct obligations to data subjects, the GDPR introduced statutory requirements specifically for them. Processors must maintain records of processing activities, appoint a Data Protection Officer if required, and notify the controller without undue delay after becoming aware of a personal data breach.
The Limits of a Processor's Power
The EDPB clarifies that controllers determine the "essential means" of processing, such as the type of personal data and the categories of data subjects. Processors may determine the "non-essential means" of processing.
A cloud hosting provider can choose which specific server hardware to use or what low-level encryption standard to apply. These are technical, non-essential means. If that same provider decides to scan the hosted databases to build targeted advertising profiles, they have exceeded their mandate. They immediately become a controller for that specific activity and face the full weight of GDPR compliance for the unauthorised processing.
Joint Controllers: When Lines Blur
Article 26 of the GDPR introduces the concept of joint controllers. This occurs when two or more controllers jointly determine the purposes and means of processing.
The Court of Justice of the European Union (CJEU) set a low threshold for joint controllership in the Fashion ID case. A German clothing retailer embedded a Facebook "Like" button on its website. The court ruled that the retailer and Facebook were joint controllers for the collection and transmission of visitor data. The retailer benefited economically from increased publicity, while Facebook benefited by expanding its social graph. The fact that the retailer never had direct access to the underlying personal data did not matter.
When implementing marketing pixels or social plugins, you frequently enter into a joint controllership. Both parties must determine their respective responsibilities in a transparent arrangement. The essence of this arrangement must be made available to the data subject. Data subjects can exercise their rights against either controller.
| Responsibility | Data Controller | Data Processor |
|---|---|---|
| Determines the "Why" and "How" | Yes | No (follows instructions) |
| Requires a Lawful Basis (e.g., Consent) | Yes | No (relies on controller) |
| Responds to Data Subject Requests | Yes | Assists the controller |
| Direct Liability for Fines | Yes (Primary) | Yes (For specific Article 28/32 failures) |
Can a Processor Be Fined Under GDPR?
Historically, controllers bore the brunt of regulatory enforcement. DPAs are now increasingly targeting processors directly for failing their statutory obligations under Article 28 and Article 32 (Security of processing). For a full breakdown of how GDPR fines and Article 83 penalties are calculated, the tiered structure determines the maximum exposure for both controllers and processors.
In August 2024, the UK Information Commissioner's Office (ICO) announced a provisional £6.09 million fine against Advanced Computer Software Group Ltd. The company, acting exclusively as a data processor, suffered a ransomware attack. The ICO found they had failed to implement sufficient technical measures to protect the personal information they handled on behalf of their clients. This enforcement action highlights that processors cannot hide behind their clients' controller status. If a processor's security is negligent, the regulator will strike directly.
Data subjects can also claim compensation directly from a processor if the processor has acted outside the controller's lawful instructions or failed to comply with processor-specific GDPR obligations.
This shifting landscape makes vendor selection critical. You must verify that any third-party tool you integrate meets strict security standards. Relying on cheap, non-compliant plugins exposes both your business and your vendors to massive financial risk.
Contracts and Compliance: The DPA
Article 28 of the GDPR mandates a written contract between a controller and a processor. This is universally known as a Data Processing Agreement (DPA).
A valid DPA cannot be a vague handshake. It must explicitly state the subject matter, duration, nature, and purpose of the processing. It must list the types of personal data involved and the categories of data subjects. Crucially, the contract must stipulate that the processor only acts on documented instructions.
The DPA must also address the use of sub-processors. A processor cannot simply hire another company to handle your data without your prior written authorisation. If you use a marketing agency (processor) and they use a cloud storage provider (sub-processor), the agency remains fully liable to you for the performance of that sub-processor. Reviewing your vendors' functional cookies and tracking technologies is part of this due diligence, ensuring no unauthorised third parties are siphoning data from your website.
Drafting these agreements requires precision. Standard Contractual Clauses (SCCs) are often incorporated into DPAs when data is transferred outside the European Economic Area (EEA), adding another layer of legal complexity to the controller-processor relationship.
Frequently Asked Questions
Can a company be both a data controller and a data processor?
Yes. A business often acts as a processor for its clients' data (like hosting a website) while simultaneously acting as a controller for its own employees' payroll data or its direct marketing lists.
Do we need a Data Processing Agreement (DPA) with every vendor?
You need a DPA with any vendor that processes personal data on your behalf. If a vendor provides a service but never touches personal data (like a stationary supplier), a DPA is not required.
Who is responsible for reporting a data breach?
The data controller must report the breach to the relevant supervisory authority within 72 hours. The processor must notify the controller immediately upon discovering the breach, but the processor does not report directly to the authority unless instructed.
What happens if a processor uses data for their own marketing?
By determining a new purpose for the data, the processor legally becomes a data controller for that specific activity. They would immediately be in breach of the GDPR for processing data without a lawful basis or the original controller's permission.
Are website owners joint controllers with Facebook and Google?
If you use tools like the Meta Pixel for targeted advertising, CJEU rulings indicate you are a joint controller with the platform. You must ensure you have a legal basis, usually consent via a cookie banner, before these scripts load.
Does a processor need a Data Protection Officer (DPO)?
A processor must appoint a DPO if their core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or if they process sensitive data on a large scale.
Take Control of Your Cookie Compliance
If you are not sure which third-party vendors and scripts are acting as processors or joint controllers on your site, start with a free automated scan. Kukie.io detects, categorises, and helps you manage every cookie and tracking script - giving you total visibility into your data flows so you can maintain strict GDPR compliance.
