Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

GDPR Data Controllers vs Processors

Get Free GDPR Assessment
Published November 15, 2022
Contributors

Anas Baig

Product Marketing Manager at Securiti

Maria Khan

Data Privacy Legal Manager at Securiti

FIP, CIPT, CIPM, CIPP/E

Listen to the content

This post is also available in: Brazilian Portuguese

The European Union’s General Data Protection Regulation, 2018 (the “GDPR”) grants several rights to individuals with respect to their personal data by imposing responsibilities on organizations, in their respective capacities as data controllers or data processors.

The codification of the responsibilities of data controllers and data processors under the GDPR has widespread implications for businesses impacted by the GDPR’s requirements. This article discusses the roles and responsibilities of data controllers and processors as per the provisions of the GDPR.

What Does the GDPR Say About Data Controllers and Data Processors?

The GDPR defines a data controller as a legal or natural person, an agency, a public authority, or any other body that determines the purposes and means of processing personal data alone or in conjunction with others.

On the other hand, a data processor is a legal or natural person, agency, public authority, or other entity that processes personal data on behalf of a data controller.

The GDPR mandates that data controllers and data processors should comply with the provisions of the GDPR in their functions. It is important to note that the roles of data controllers and data processors are ‘functional’ in nature, with different responsibilities being allocated to each role.

Therefore, under the GDPR framework, the status of an entity as a ‘controller’ or a ‘processor’ should be determined as per a factual analysis conducted in light of their actual functions, rather than any formal designation associated with them.

What are the Key Differences Between Controller and Processor?

The substantive difference between data controllers and data processors lies in their functions.

Data controllers are entities that determine the means and purposes of data processing. They decide why data processing is required in a particular situation and how such an objective would be achieved. On the other hand, data processors conduct the function of processing in accordance with the instructions of data controllers.

It should be noted that while data processors may exert limited control over how the processing should be conducted, such as choosing a particular type of hardware or software or implementing detailed technical security measures, it is the data controller that determines essential aspects of the means of processing, such as the type of personal data to be processed, the duration of the processing, and the categories of recipients and data subjects.

As per Article 28(10) of the GDPR, if a processor determines the purposes and means of a processing activity, the processor shall be considered a controller in respect of that processing.

Who Can Be a Data Controller?

As per the definition of a ‘controller’ under the GDPR, there is no limitation on which entity might perform the role of a controller. A data controller could be:

  • a private firm or any other legal body, such as an established organization, an associated partnership, or a government agency; or
  • a professional individual, such as a sole partnership partner, a sole trader, or any self-employed professional.

In practice, it is usually an organization, and not an individual within such an organization, who performs the functions of a data controller. It is principally assumed that any processing activity that takes place within an organization is under the control of that organization.

Joint Controllers

As per Article 26 of the GDPR, where two or more data controllers collectively determine the purposes and means of data processing, they are called joint data controllers. Joint controllers are required to determine their respective responsibilities under the GDPR in a transparent manner by way of a legal arrangement between them, which should duly reflect the respective roles of the controllers with respect to the data subjects.

Such an arrangement should be made available to the data subjects and may include the details of a contact point for the data subjects. It is significant to note that irrespective of the terms of any such arrangement, the data subjects are entitled to exercise their rights under the GDPR in relation to and against each of the relevant data controllers.

Who Can Be a Data Processor?

Similar to data controllers, a data processor can be any entity, including an organization or an individual. A data controller may choose to engage multiple processors. A processor is a separate entity in relation to the controller, which means that an external organization should process personal data on behalf of the controller.

If a controller organization delegates data processing responsibilities to its own staff or departments, such staff or departments would not be construed as ‘processors’ in terms of the GDPR.

Further, the processor must process personal data on behalf of the controller. Even though a data processor is free to make daily operational decisions regarding the processing of data and may enjoy a certain level of discretion in choosing appropriate technical and organizational measures to serve the controller’s interests, a processor should implement the instructions of the data controller with respect to the purposes of processing and the essential aspects of means of processing. A processor may be held liable or fined if it fails to comply with the controller's instructions or the provisions of the GDPR.

Data subjects have the right to claim against data controllers and data processors if their rights under the GDPR are infringed due to non-compliance by a data controller or data processor. Thus, data processors must always ensure that they must adhere to the instructions of, or the contractual terms as agreed with, the controller.

What Is a Sub-Processor According to the GDPR?

The GDPR does not define the term “sub-processor”, however, where a data processor decides to outsource part or all of its data processing obligations to a third party with the prior written authorization of the controller, such third party may be referred to as a “sub-processor.”

The data processor remains entirely accountable to the data controller for the activities of the sub-processor. Under the GDPR, the same data protection obligations should be imposed on the sub-processor, as imposed on the processor through a contract with the controller or any other legal act under the applicable law.

What are Data Controllers’ Responsibilities?

Article 24 of the GDPR mandates the data controller to take into account the nature, scope, context, and purposes of any processing activity and the risks posed to the rights and freedoms of natural persons, and consequently implement such appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the requirements of the GDPR.

Under Article 5 of the GDPR, data controllers are responsible for and must be able to demonstrate compliance with the principles of data processing, that is, lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.

Data controllers should also ensure that all processing activities based on consent are lawful and the consent is duly obtained and validly subsisting in accordance with the GDPR. Controllers are also obligated under the GDPR to provide data subjects with specified information where personal data have been obtained in relation to them.

Controllers should also facilitate the exercise of data subjects’ rights and provide timely information on actions taken in response to any requests regarding data subjects’ rights.

The controllers should use only those processors which provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR and protect the rights of the data subjects.

The controller may rely on adherence to approved codes of conduct, as referred to in Article 40 of the GDPR, or approved certification mechanisms, as referred to in Article 42 of the GDPR, as tools that demonstrate compliance with its obligations under the GDPR.

What are Data Processors’ Responsibilities?

Under the GDPR, data processors are required to provide sufficient guarantees to implement appropriate technical and organizational measures to ensure that all processing activities meet the requirements of the GDPR and protect the rights of the data subject.

The responsibilities of a processor are outlined in a contract between the processor and controller, or defined through any other legal act. Such instruments should, in writing, outline the subject matter, duration, nature, and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. The instruments shall further stipulate that the processor should:

  • process the personal data only on documented instructions from the controller, unless required to do so under the applicable legal framework, in which case, the processor shall inform the controller of such requirement before processing, unless such communication is prohibited on important grounds of public interest;
  • ensure that persons authorized to process the personal data are under an obligation of confidentiality;
  • take all measures required for the security of processing, as specified in Article 32 of the GDPR;
  • respect requirements of the GDPR in relation to engaging a sub-processor;
  • taking into account the nature of the processing, to the extent possible, assist the controller through appropriate technical and organizational measures for the fulfillment of the controller’s obligation to respond to requests in relation to the data subjects’ rights;
  • assist the controller in ensuring compliance with obligations in relation to conducting DPIAs, issuing personal data breach notifications, and security of processing, taking into account the nature of processing and the information available to the processor;
  • at the choice of the controller, delete or return all the personal data to the controller upon expiry of termination of its services, and delete existing copies unless the applicable law requires storage of the personal data; and
  • make available to the controller all information necessary to demonstrate compliance with the obligations specified above, and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. In this respect, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR or any other applicable law.

Data Protection Impact Assessments

Where a processing activity (in particular, usage of new technologies) is likely to result in a high risk to the rights and freedoms of natural persons, the controllers are required, prior to the processing, to carry out an assessment of the potential impact of such processing activity on the protection of personal data, in accordance with Article 35 of the GDPR (a “Data Protection Impact Assessment” or “DPIA”).

Records of Processing Activities

Data controllers are required to retain records of their processing activities. The RoPA might consist of:

  • the controller's name and contact information;
  • the purposes of the processing;
  • a summary of the various types of personal data and data subjects;
  • the groups of third parties which have received or may receive personal data;
  • the parties to which the personal data has been or will be transferred, as well as information on the security measures used;
  • the anticipated time limits for the deletion of the various types of data; and
  • a detail of the organizational and technical security protocols implemented to protect the data's integrity and confidentiality.

Privacy by Design and Privacy by Default

To ensure compliance with data protection by design and data protection by default, controllers must, at the time of determining the means of processing, implement such technical and organizational measures, which effectively mitigate the risks posed to the rights of the data subject as a result of such processing activity.

Further, the controller has a continued obligation throughout the processing activity to monitor changes in the nature, scope, or context of the processing or risks posed to the data subjects, to ensure that appropriate and timely measures are employed to protect the rights of the data subjects.

Under the data protection by default framework, controllers should implement such privacy-oriented processing settings by default, which limit the processing of personal data to that necessary in accordance with predetermined and specified purposes.

Data Protection Officers

Article 37 of the GDPR mandates both controllers and processors to designate data protection officers (the “DPOs”) in cases where:

  1. the processing is carried out by a public authority or body (except for courts acting in their judicial capacity),
  2. the core activities of the controller or processor consist of such processing operations which, by virtue of their nature, scope and/or purpose, require regular and systematic monitoring of data subjects on a large scale, or
  3. the core activities of the controller or processor consist of processing on a large scale of special categories of data as specified in Article 9 of GDPR or personal data relating to criminal convictions and offenses as referred to in Article 10 of GDPR.

Personal Data Breach Notification

In the event of a personal data breach, data controllers are required to notify both the supervisory authority and the data subjects in accordance with Articles 33 and 34 of the GDPR.
While data processors are not required to directly notify the regulatory authority or impacted data subjects, Article 33 of the GDPR requires them to notify the data controllers of a breach without undue delay upon becoming aware thereof.

International Data Transfers

Any personal data transfers to another country outside the European Union can take place only when an adequate level of data protection is ensured or there are safeguards in place to ensure the level of protection is essentially equivalent to that currently guaranteed inside the EU. These safeguards include binding corporate rules, standard contractual clauses (SCCs), and ad-hoc contractual clauses.

While relying on SCCs as a cross-border transfer tool, processors must adhere to the documented instructions of the data controller regardless of whether the controller is the importer or exporter of the data. In controller-to-processor agreements, any data breach has to be reported by the importer processor to the controller exporter.

In addition, processors are required to ensure that any onward transfer of the transferred data is subject to specified, explicit and legitimate purposes and such onward disclosure of personal data to a third party can only take place if the data importer is instructed to do so by the data exporter controller. Moreover, data importers must utilize sub-processors only with the authorization of the controller.

How Does Securiti Help?

By harnessing the power of artificial intelligence, Securiti enables enterprises to comply with the GDPR’s requirements. Securiti is the leading provider of ‘Data Command Center’ that stands for security, privacy, governance and compliance. Its Data Command Center solution offers complete visibility and controls over data across hybrid and multi-cloud environments.

DSR automation, documented accountability, better visibility into data processing operations, automated PI data linking, and other GDPR-compliant worthy features are deeply integrated into Securiti’s ecosystem.

Learn more about how to become GDPR-compliant. Request a demo today.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
Inside Echoleak View More
Inside Echoleak
How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...
What is AI Security Posture Management (AI-SPM)? View More
What is AI Security Posture Management (AI-SPM)?
AI SPM stands for AI Security Posture Management. It represents a comprehensive approach to ensure the security and integrity of AI systems throughout the...
View More
Data Security & GDPR Compliance: What You Need to Know
Learn the importance of data security in ensuring GDPR compliance. Implement robust data security measures to prevent non-compliance with the GDPR.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Understanding Data Regulations in Australia’s Telecom Sector View More
Understanding Data Regulations in Australia’s Telecom Sector
Gain insights into the key data regulations in Australia’s telecommunication sector. Learn how Securiti helps ensure swift compliance.
Top 3 Key Predictions on GenAI's Transformational Impact in 2025 View More
Top 3 Key Predictions on GenAI’s Transformational Impact in 2025
Discover how a leading Chief Data Officer (CDO) breaks down top predictions for GenAI’s transformative impact on operations and innovation in 2025.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New