Roles of the parties: controller and processor
In a typical outsourcing deal the customer is the controller and the supplier is the processor. A controller determines the purposes and means of processing; a processor processes on the controller's behalf and is not its employee. The controller is primarily responsible for compliance and must put a written contract in place. Even so, the GDPR places a string of direct obligations on processors (Articles 27, 28, 29, 30, 31, 32, 33, 37, 38, 44, 49) that apply regardless of what the contract says.
A controller determines the purposes and means of processing. A processor is a person, other than an employee of the controller, who processes data on behalf of the controller. The distinction matters because it is the controller, not the processor, who is primarily responsible for compliance, and it is the controller's job to ensure a written contract governs the relationship.
In outsourcing, the most logical and common allocation is customer = controller, supplier = processor. The contract may be silent on roles, but should contain enough to show the customer exercises a dominant role over purposes and means. Even where the supplier acts purely as a processor, the GDPR imposes direct legal obligations on it that apply irrespective of the contract.
| Feature | Controller (customer) | Processor (supplier) |
|---|---|---|
| Decides purposes and means | Yes | No (processes on behalf of the controller) |
| Primary responsibility for compliance | Yes | Has direct obligations but is not primarily responsible |
| Must ensure a written contract exists | Yes | Bound by it |
| Relationship to controller | - | Not an employee of the controller |
| Article | Processor obligation |
|---|---|
| Art 27 | Designate an EU representative if not established in the EU (unless processing is occasional, not large-scale special/criminal data, and unlikely to be risky) |
| Art 28(2) | Not engage another processor without the controller's prior specific or general written authorisation |
| Art 28(3) | Processing governed by a written contract containing specified terms |
| Art 28(4) | Impose the same obligations on sub-processors; remain fully liable to the controller for them |
| Art 29 | Process only on the controller's instructions unless required by EU/member state law |
| Art 30(2) | Keep a written record of processing activities on behalf of controllers (small-org exemption applies) |
| Art 31 | Cooperate with the supervisory authority |
| Art 32 | Implement appropriate technical and organisational security measures |
| Art 33 | Notify the controller without undue delay after becoming aware of a breach |
| Art 37/38 | Appoint and support a DPO where required |
| Art 44/49 | Comply with international transfer rules; document Art 49 legitimate-interest transfer assessments |
Under Article 33, a processor notifies the controller 'without undue delay' - it does not notify the supervisory authority directly, and the 72-hour deadline is the controller's obligation to the DPA, not the processor's.