Are You a Data Controller or a Data Processor?
Your company processes personal data. But do you know in what role?
The difference between a data controller and a data processor is one of the most fundamental questions in GDPR compliance, and one of the most frequently misunderstood. It shapes your responsibilities, your contracts, and your liability. Getting it wrong means your entire compliance approach could be built on a false premise.
So, let us break it down.
The data controller
The data controller is the company that decides what happens with personal data. It determines the purpose of the processing (why the data is collected) and the means (how it is processed). If your company took the initiative to collect personal data and decides what to do with it, you are most likely the controller.
Being a controller comes with the heavier set of obligations under the GDPR. You are responsible for putting in place appropriate measures to protect personal data, enabling individuals to exercise their rights, and ensuring that any processors you work with offer sufficient guarantees.
The data processor
The data processor processes personal data on behalf of the controller. It acts under the controller's instructions and cannot use the data for its own purposes. A processor only gets involved because the controller asked it to.
The relationship between a controller and a processor must always be governed by a written contract. That contract needs to set out exactly what processing takes place and how the processor must handle the data.
A concrete example
Imagine a company wants to outsource its payroll. It hires an external payroll provider and shares employee salary data with them. The company gives clear instructions: who to pay, what amounts, and how long to keep the records.
In this scenario, the company is the data controller. It decided to collect its employees' data and determines the purpose of the processing. The payroll provider is the data processor. It handles the data solely to carry out the payroll, according to the instructions it received. It cannot use that data for any other purpose.
If the payroll provider starts using that employee data for its own commercial purposes, it crosses the line. It then becomes a controller for that processing and takes on full GDPR liability for it.
Why this matters for your business
Knowing your role is not just a theoretical exercise. It determines:
Which GDPR obligations apply to you directly
What your contracts with partners and vendors must say
Who is liable if something goes wrong
Whether you need a Data Protection Officer
Many startups and scale-ups assume they are processors because they work for clients. But if you also decide how and why data is processed, even partially, you may well be a controller or even a joint controller. The line is not always clear cut.
Misclassifying your role can expose you to real compliance risks, including fines and liability for breaches that you thought were someone else's responsibility.
Two questions to ask yourself
Not sure which role applies to your company? Start here:
Did you take the initiative to process this personal data, or were you asked to do so by someone else?
Do you decide how the data is processed, or are you following someone else's instructions?
If you took the initiative and decide the how and why, you are likely the controller. If you are acting on instructions and cannot use the data for your own purposes, you are likely the processor.
In practice, a company can be a controller for some processing activities and a processor for others. It depends on the specific situation, not the company type.
Not sure where you stand?
This is exactly the kind of question we help startups and scale-ups answer. Reach out and we will help you identify your role and make sure your contracts and compliance approach reflect it.