HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

What is the Difference Between a Controller and a Processor in GDPR?

The General Data Protection Regulation (GDPR) makes frequent reference to data controllers and data processors, but what is the difference between a controller and a processor under the GDPR?

When the GDPR comes into effect on May 25, 2018, both data controllers and data processors will have specific duties which they must fulfill. Under the existing regulations, data processors do not have statutory responsibilities. This will change with the GDPR’s introduction. As a result, organizations will need to ensure that they are aware of whether they will be classified as data controllers or data processors. If they are unsure, they run the risk of failing to comply with the strict standards and criteria expected of them under the new law. They should also know where they stand in order to implement the necessary data protections and procedures, if applicable.

Data Controllers

The GDPR has kept the categorization of data controllers and data processors the same as it appears in the existing legislation. A data controller decides, either alone or in concert with other groups, why data is to be collected and how it should be processed. They have a number of important obligations under the law. Numerous distinctions exist between data controllers and data processors. Let us take, for example, a company processing payroll data. As the service they provide is to process data in a manner determined by their customers and for the purposes which their customers decide, the company itself would be classified as a data processor. The processor company’s customers would be data controllers, as they determine the purpose and means of processing.

Data Controllers’ Responsibilities

Data controllers are responsible for, and must be able to show that, the data processing actions they use do not violate GDPR standards, in accordance with the accountability principle of Article 5. This part of the law states, among other things, that data must be “processed lawfully, fairly and in a transparent manner”.


    GDPR Compliance Checklist
    for American Companies

    Immediate Access
    Privacy Policy

    Article 5 goes on to state that use of the data must be strictly limited to “specified, explicit and legitimate purposes”; that only the minimum data needed for the purpose will be processed; and that reasonable steps must be taken to ensure the data is accurate and up-to-date. Data controllers are also responsible for the confidentiality of the data. Compliance with these rules can be strengthened through introducing a code of conduct, which processors must abide by.

    It is important that controllers put such codes of conduct and rules into place at the very beginning of their activities, following a concept called privacy by design. Once these are implemented, they can help to ensure the correct technical and organizational measures are respected. Controllers must receive guarantees that these will be followed. This will help establish norms such that only the minimum amount of data is processed, in a secure manner, as a matter of course.

    The GDPR further expands on this approach in Article 25, data protection by design and by default. This Article calls for the data controller to introduce “appropriate technical and organisational measures” to:

    • Implement data-protection principles, such as data minimization
    • Ensure that, by default, only the data necessary for each specific purpose is processed and stored
    • Keep the period of the data storage to a minimum
    • Ensure access to data is strictly limited to only those who require it

    In situations where more than one data controller determines the goals and manner of processing, they should designate the responsible parties for data protection, data minimization, and the other data controller’s obligations under the law. Controllers are also responsible for carrying out data protection impact assessments in certain circumstances.

    Data Processors

    Contrary to controllers, data processors are public entities, agencies, or other bodies that store or process data for controllers. As they play a central role by processing data, it is of the utmost importance that they are only selected after a careful review process – indeed, the GDPR requires that due diligence research be carried out when choosing a data processor – and that strict agreements be put in place to ensure that processors fulfill the requirements imposed upon them by data controllers and regulatory bodies. Article 4 of the GDPR defines data processors as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

    Data Processors’ Responsibilities

    In certain cases, data processing will require the designation of a Data Protection Officer (DPO). This concerns both processors and controllers and should be done when systematic processing of large amounts of data is conducted or when data related to criminal and legal records is processed.

    Processors cannot make use of the services of sub-processors without first receiving written permission to do so and contractually binding the subcontractor to the same standards dictated to them by authorities and data controllers. Any sub-contractor used must meet GDPR standards and must comply with the established procedures before transferring any data to a non-EU country. The processor must answer to the controller for any error committed by the sub-contractor.

    A key element in ensuring compliance with the GDPR will be the close collaboration of processors and controllers while conducting impact assessments. Processors must be able to answer any questions or objections posed to them. Importantly, they must be able to satisfy data subjects who choose to use their “right to be forgotten”, who request a copy of their data, or who object to the use of their data. These requests may initially be made by the data subject to the data controller, who would then forward the request to the processor for execution.