Module 3 · Controller vs processor
Who decides the purposes and means of processing? Whoever determines the "why" and the "how" is the controller (Article 4(7)); whoever processes on the controller's instructions is the processor (Article 4(8)). The EDPB Guidelines 07/2020 set the two tests for processor status, and Article 26 covers joint controllers. The controller carries ultimate accountability.
The first job is to classify each party. A controller (Article 4(7)) decides why data is processed and how (the essential means) - what data is collected, the retention period, who it is shared with. Crucially, a controller does not need access to the data to be a controller, so long as it exerts determinative influence over the processing.
A processor (Article 4(8)) acts on the controller's instructions. It may exercise discretion over non-essential means (e.g. which hardware or software it uses), but if it decides the purposes or essential means, it becomes a controller in its own right and infringes its contract.
| Dimension | Controller (Art 4(7)) | Processor (Art 4(8)) |
|---|---|---|
| Decides the "why" (purposes) | Yes | No |
| Decides essential means (the core "how") | Yes | No - only non-essential means (e.g. hardware/software) |
| Acts on instructions | Sets the instructions | Follows the controller's instructions |
| Needs access to the data? | No - determinative influence is enough | Yes - it actually processes the data |
| Can be a natural OR legal person | Yes | Yes |
| Accountability | Ultimate accountability | Liable for its own breaches; cannot hide behind the contract |
To qualify as a processor an entity must be (1) a separate entity from the controller, and (2) process on the controller's behalf. Fail either and it is not a processor.
Joint controllers (Article 26) arise where two or more controllers jointly determine the purposes and means - through a common decision OR converging decisions that complement each other and are necessary for the processing. The test: "Would this processing be possible without both parties' participation?" If no, the participation is inextricably linked, so it is joint controllership. They must have an arrangement (usually a contract) setting out respective responsibilities - especially data-subject rights and a contact point - and the essence must be available to data subjects. A data subject can exercise rights against either controller, regardless of the arrangement.
A recruitment agency is a processor when finding candidates for "Company ABC" (the controller), but a controller for its own database of applicants it keeps for other roles.