What are data controllers and data processors under the GDPR?

Last updated: 8/3/2020 — GDPR

If you’ve been researching the European Union’s General Data Protection Regulation and how it might impact your organization, you’ve almost certainly come across a couple of terms that have been a source of confusion for website owners: “data controller” and “data processor”.


The concepts of data controller and data processor are introduced in Article 4 of the GDPR, the section that defines commonly used data protection terms.

A data controller is defined as:

  • the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law

A data processor, meanwhile, is:

  • a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

That’s a crystal clear explanation, right? Maybe not, if you’re not a regular reader of European privacy law. Let’s take a deeper look at what each role entails.

What is a data controller?

A data controller is any person or organization that gathers personal data from data subjects. The GDPR defines personal data as “any information relating to an identified or identifiable natural person”. That includes things like names, locations, email addresses, credit card numbers, user IDs—basically any detail that might be associated with a specific person.

What is a data processor?

The data processor has the overall control of the data processing operation. That could include your website’s analytics tool, a third-party email service, and internal teams such as marketing and human resources that deal with the personal information of employees and consumers. The variability of what constitutes a processor is another element that makes this such a tricky topic. The exact roles and relationships of controllers and processors can be very different from organization to organization.

What does the GDPR require?

The responsibilities of data controllers and data processors toward data subjects are at the core of the GDPR, with controllers taking the heavier load. The data controller carries the burden when it comes to setting GDPR-compliant data protection policies and procedures, obtaining proper GDPR certification, and adhering to all GDPR codes of conduct.

Most relevant to this subject, the data processor may only process data on the data controller’s behalf and only per instruction of the data controller. The two parties must have a legal contract that spells out their relationship, as well as the nature of the data being processed, the methods of storage, and the duration of the project. Since the controller determines the information that is shared with a processor, as well as how the data is stored and handled, that gives the controller the responsibility to make certain that the processor adheres to all applicable standards under the GDPR.

That doesn’t mean the processor is totally absolved of responsibility, though. Data processor duties as laid out by Article 28 of the GDPR include processing data only as instructed by the controller, offering technical and organizational assistance to the controller, deleting or returning all personal data after a task is complete, and a number of other functions. Failure to comply by either the controller or the processor can result in substantial fines being levied against one or both.

How to Keep Compliant

Even in the complicated sphere of the GDPR, the responsibilities of data collectors and data processors can be confusing for website owners. While it may seem counterintuitive to add another third-party element to the mix, there’s a strong case to be made for investing in tools and services that are specifically geared toward GDPR compliance. An analytics tool that’s been designed with an eye toward requirements of the GDPR, for example, is more likely to meet all of the expectations of a data processor, which in turn makes compliance easier for the data controller.

As with most things GDPR-related, it’s good to keep in mind that the end goal of these regulations is not to punish collectors or processors who fall out of line. The overall mission of the General Data Protection Regulation is right there in the name: protecting the private data of consumers in the EU and beyond. Viewed from that angle, building a compliance plan for data collection and processing isn’t just legally prudent. It’s the right thing to do.

Have you automated your GDPR web compliance process? Siteimprove Data Privacy locates the personal data you handle online so you can pinpoint and remove that data across your websites, minimizing the risk of fines and other legal consequences.

Learn more about Siteimprove Data Privacy