What is the difference between a controller and a processor GDPR
Joseph Russell
Updated on April 07, 2026
According to Article 4 of the EU GDPR, a data controller is the entity (person, organization, etc.) that determines the why and the how for processing personal data. A data processor, on the other hand, is the entity that actually performs the data processing on the controller’s behalf.
What is the difference between a data controller and a data processor GDPR?
The data controller determines the purposes for which and the means by which personal data is processed. … The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to the company.
Can you be a controller and a processor under GDPR?
Can you be both a controller and a processor of personal data? Yes. … For example, you will have your own employees so you will be a controller regarding your employees’ personal data. However, you cannot be both a controller and a processor for the same processing activity.
What is a processor and controller in GDPR?
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors act on behalf of the relevant controller and under their authority. In doing so, they serve the controller’s interests rather than their own.Who is a controller and who is a processor?
The data controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed. By contrast, a data processor is anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees).
Are accountants data controllers or processors?
When acting for his client, the accountant is a data controller in relation to the personal data in the accounts. This is because accountants and similar providers of professional services work under a range of professional obligations which oblige them to take responsibility for the personal data they process.
Can you be a controller and processor of the same data?
An organisation cannot be both data controller and processor for the same data processing activity; it must be one or the other.
What is the role of the processor?
A processor (CPU) is the logic circuitry that responds to and processes the basic instructions that drive a computer. … CPUs will perform most basic arithmetic, logic and I/O operations, as well as allocate commands for other chips and components running in a computer.Does GDPR apply to processors?
The GDPR applies to the processing of personal data by a controller or a processor that falls within the scope of the GDPR (regardless of whether the relevant processing takes place in the EU or not).
Which is a requirement for controllers under the GDPR?The GDPR is more prescriptive, but the net effect is very similar—the primary requirement is that the controller must ensure the security of the personal data that it processes. DPAs can only take appropriate enforcement action in relation to data breaches if they are aware of those breaches.
Article first time published onDo I need a data controller under GDPR?
The GDPR does not require every controller or processor to appoint a DPO. A private body or organisation, for example, does not have to appoint one if: Its main activities only seldom involve monitoring data subjects and with little infringement on those data subjects’ rights.
What makes you a data controller?
If you exercise overall control of the purpose and means of the processing of personal data – ie, you decide what data to process and why – you are a controller.
Are contractors data processors?
The fact that a self-employed contractor may provide services to an organisation does not necessarily mean that they are a data processor; they may be a data controller. … For example, professional service providers such as lawyers and accountants will usually be data controllers in their own right.
Are employers data controllers?
The employer is still deciding the means of processing the data even if they are not physically processing the payroll themselves, and therefore they are (and remain) the Data Controller.
What is the role of controller?
The controller manages accounting records and is responsible for the production of financial reports. … The controller oversees all employees involved in the accounting process, including accounts receivable, accounts payable, payroll, inventory and compliance.
Is Facebook a data controller or processor?
Data processor Under the GDPR, data processors have obligations to process data safely and legally. While Facebook operates the majority of our services as a data controller, there are some instances in which we operate as a data processor when working with businesses and other third parties.
How long does a data controller have to respond under GDPR?
Under Article 12 GDPR, a data controller must respond to a SAR “without undue delay and in any event within one month of receipt of the request.” This can be extended by a further two months if the request is complex or a number of requests have been made by the data subject.
Are external auditors controllers or processors?
EU law requires auditors to be independent from their clients. This means that auditors determine why they need to use personal data and how this data is processed or stored. Because of this independence, auditors need to be considered data controllers under the GDPR.
Do data processors need to register with ICO?
Under the Data Protection Act 2018 organisations processing personal information are required to pay a data protection fee unless they are exempt. … Perhaps unsurprisingly, more sole traders and organisations have fulfilled their legal requirement to register with the ICO than ever before.
WHO reports a data breach controller or processor?
Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
Who can be a data controller?
GDPR defines a data controller as: “a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing.” (e.g. a business obtaining customer or employee details, or a school, college or university holding student records.)
Can data processor be fined under GDPR?
Under the GDPR, the ICO can impose up fines of up to 20 million Euros or 4% of group worldwide turnover (whichever is greater) against both data controllers and data processors.
What are the obligations for data controllers and processors involved in processing the same personal data?
Controllers are obligated to use data processors who follow the legislation. Moreover, any time a data controller and data processor work together, they must use a clearly defined contract to do so. The contract must outline the instructions the processor must follow when processing the data.
What do you mean by data processor?
A data processor is a person, company, or other body which processes personal data on the data controller’s behalf. For the official GDPR definition of “data processor”, please see Article 4.8 of the GDPR.
What is classed as processing?
“Processing” means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or …
What is data processing under GDPR?
GDPR Processing The General Data Protection Regulation (GDPR) offers a uniform, Europe-wide possibility for so-called ‘commissioned data processing’, which is the gathering, processing or use of personal data by a processor in accordance with the instructions of the controller based on a contract.
What is a third party processor GDPR?
A third party data processor is defined under GDPR as, “a natural or legal person or organisation which processes personal data on behalf of a controller.” This essentially means any third party who processes personal data on your behalf.
