Role of Data Controller and Data Processor

Last year, the General Data Protection Regulation (GDPR) entered into force and included rules for the automatic processing of data by the controllers and processors. This blog clearly explains the role of the data controller and data processor within an organization.

How GDPR Defines Personal Data?

The General Data Protection Regulation (GDPR) has been the most comprehensive data protection law to date. According to the GDPR, personal data is any information related to an identifiable person or data subject. The personal information includes name, location, the ID number of an entity, and special category information consists of the physiological, genetic, and social identity of the person. These data must be controlled and processed by the data controllers and data processors.

Definitions of Controller and Processor

A data controller is a natural or legal person, public authority, an agency which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data processors process personal data on behalf of the controller.

Controller v/s Processor

For example: If you own a website which collects name, email address, and other personal information of the customers, the data controller decides on with whom the data has to be shared, and the data processor decides on how to the shared data can be used effectively.

Responsibilities of the Controllers

The controller shall be responsible for demonstrating compliancewith the principles relating to the processing of personal data. Datacontrollers need to establish a legal precedent for collecting the data andcreate a privacy policy that outlines the purpose of data collection and theentities with whom the data is shared.

If a data deletion requests arrive to delete a particular record,the controller is responsible for initiating the request and should instructthe processor to remove the data from their servers. In the case of a jointcontroller, he is expected to determine their respective controllerresponsibilities by agreement and provide the content of this agreement to thedata subjects.

Data Controllers also need to takesteps to secure data, such as encryption and pseudonymization, stability anduptime, backup and disaster recovery, and regular security testing.

Responsibilities of the Processors

The data processor will have toimplement the necessary controls to ensure that they comply with the privacylaws because the fines can be applied to both controllers and processors. Thedata processor shall also be responsible for storing the records andmaintaining a record of data processing activities.

The processor has to enable and contribute tocompliance audits conducted by the controller or a representative of thecontroller. Processors will also need to review existing dataprocessing agreements to ensure that they have met their compliance obligationsand inform the controller if something in theterms infringes on the privacy law.

Who is Responsible in Case of a Data Breach?

When a processor finds a securitybreach, they must notify the relevant controllers impacted by the breach. Inturn, Controllers will have to record all the data breaches and must inform the Supervisory Authority and the datasubject. Reports made to the Supervisory Authority need to be submitted within72 hours of finding the breach.

To reduce the risk, controllersshould carry out the data risk assessment with the help of processorsregularly. Each risk assessment must describe the purpose of the process andevaluate the risks.

Is Appointing a DPO Compulsory?

Both controllers and processors must appoint a Data Protection Officer (DPO) when they work with data. A DPO's role is to:

  • Advise the organization about its role in data protection.
  • Help with impact assessments.
  • Work with relevant Supervisory Authorities.


The distinction between controller and processor and the obligations that attach to each under the GDPR are sometimes tricky, but it is always vital. Ensuring that you meet those principles and standards of data protection is an urgent priority in protecting you or your business from potential liability under the GDPR.

Download Example (1000 Sample Data) for testing

Click here to download csv

Prevent millions of $ of privacy risks. Learn how.

We take privacy seriously.  While we promise not to sell your personal data, we may send product and company updates periodically. You can opt-out or make changes to our communication updates at any time.