Controller vs Processor - Roles and Liability
A controller is the person or body that alone or jointly determines the purposes and means of processing - the key decision-maker, who carries most GDPR responsibilities and liability (information notices, lawful basis, rights, DPIAs, security, breach notification). A processor processes personal data on behalf of a controller on its documented instructions, and is a subordinate figure with a narrower set of direct obligations (security, record-keeping, breach notification to the controller, transfer rules). Determining who is which is critical: the controller is usually the first target of enforcement. Identifying roles is a factual question - the contract label is not decisive.
| Controller | Processor | |
|---|---|---|
| Core role | Determines the purposes and means (the why and how) - the key decision-maker | Processes on behalf of the controller, on its documented instructions |
| Relationship | Allocates responsibility; can act alone or jointly with others | Subordinate; a separate legal entity from the controller |
| Direct obligations | Most of the GDPR: info notices, lawful basis, data subject rights, DPIAs, security, breach decisions | Security, record-keeping, notify controller of breaches, comply with Chapter V transfer rules |
| Liability | Most liability; usually the first target of enforcement | Limited, but liable for its own duties - becomes a controller if it determines purposes/essential means |
| Determined by | Factual reality, not the contract label | Factual reality; service-provider status alone does not make it a processor |
If a processor infringes the GDPR by determining the purposes and (essential) means of processing, it is treated as a controller for that processing - sharply increasing its obligations and liability (e.g. a payroll firm that decides to market its own products to scheme members).
The same organisation can be a controller in one transaction and a processor in another. Because the controller is normally the first target of a DPA's enforcement action, pinning down the role is a critical exercise - and it turns on what actually happens in practice, not on how a contract labels the parties.