What is the difference between a data controller and a data processor?

A data controller refers to an organization, institution, or individual that sets the standards for personal data processing (Article 24). In practice, that means that a data controller is responsible for determining how and why data is going to be used by an organization. Most often, a data controller is a person or organization that actually gathers data and then dictates how it will be used.

This is in contrast to a data processor. According to GDPR, a data processor is an organization, institution, or individual that implements the standards for data processing established by the data controller (Article 28). Typically, although not exclusively, a data processor is a third party that processes data at the direction and discretion of a data controller. A data processor does not own any of the data they process and are not in control of it. This means that a data processor can not change the meaning of the data, direct how the data is used, and are bound by the instructions

While data controllers and data processors each perform different functions, there are two important things to note: 1) One organization can be both a data processor and a data controller. They are not mutually exclusive 2) Both a data controller and a data processor are obligated to comply with all components of GDPR.

For more context into the Regulation and how it impacts your business, read our GDPR Guide. 

Download the GDPR Guide



This article is provided for general informational purposes only and is not intended to be legal advice.  By using the article, you agree that the information on this article does not constitute legal or other professional advice. The article is not a substitute for obtaining legal advice from a qualified attorney licensed in your state. The information on the article may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.