The differences between data controller and data processor

The new GDPR obliges all persons, companies and organizations that process personal data to comply with a series of requirements and to apply certain security measures based on the type of owned data.

In this sense, two important figures should be taken into consideration in the process of adaptation to the GDPR – the controller and the processor.

The processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

An entity is controller when he or she controls and takes responsibility for the owned data.

What are data controller’s obligations?

The data controller has a major responsibility of ensuring the compliance with the GDPR regarding the collection, management, access and cancellation of personal data.

Firstly, the explicit consent of the individuals regarding processing their data must be obtained. Besides that, the documents that certify this consent must be stored. However, the consent is not always necessary, sometimes the data processed is based on a legal obligation, a legitimate interest, etc.

In the same way, it must be ensured that you will pursue the request if an individual revokes the consent to access his or her personal data.

The controller will also have to report all the violations of access to personal data within a period that does not exceed 72 hours.

Likewise, the controllers must demand from processors with whom they work to comply with the GDPR and obtain the necessary certificates that prove this. It is expected that the controller works only with those processors that take suitable technical and organizational measures to comply with the guidelines of the GDPR.

What are data processor’s obligations?

The data processor must ensure that he or she will not use the personal data for a purpose other than that described by controller. Upon request of controller, the processor will have to proceed with the return or elimination of these personal data in accordance with the document destruction processes established in the GDPR.

If there is a violation of access to personal data, the processor must inform the controller immediately.

How is the relation between controller and processor established?

The regulation of the relationship between controller and processor must be established through a contract or a unilateral legal act of controller and must be in writing, including in electronic format. It must contain the following:

  • The instructions of the controller
  • The confidentiality duty
  • Security measures
  • The subcontracting situation
  • The rights of concerned parties
  • The collaboration in compliance with controller’s obligations
  • The data destination at the end of the service
  • The collaboration with the controller to demonstrate compliance

In order for the processor to be able to access data, the consent of the concerned parties is not necessary (concerned parties are those persons whose data is processed, provided that the mentioned work order agreement exists).

Once the processor has fulfilled the objective of the agreement, he or she will have to return the data to the controller or proceed with its destruction in accordance with the provisions of the GDPR.

Share this article


Article written by

A. P.

This is an example of a biography, lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

Related articles



Would you like to receive regular updates on data protection and GDPR? Subscribe to our newsletter and you will be the first to receive our new blog articles, webinars and ebooks.

Free Webinars