A data controller decides why and how personal data is processed under GDPR. A data processor only processes that data on the controller's behalf and instructions. That distinction sets who is legally accountable when something goes wrong.
Below: the test that separates the two roles, the contract GDPR requires between them, joint controllers, real examples, and who is liable for a breach.
What Is the Difference Between a Data Controller and a Data Processor?
A data controller decides why and how personal data is processed. A data processor only processes that data on the controller's instructions.
| Attribute | Data controller | Data processor |
|---|---|---|
| Who they are | The organization (or person) that owns the decision to process data | The organization hired to carry out that processing |
| What they decide | The purposes and means: why the data is processed and how | Nothing independently; it follows the controller's documented instructions |
| Relationship to the data subject | Direct: the controller is who the visitor or customer dealt with | Indirect: the processor works behind the scenes on the controller's behalf |
| Primary responsibility | Full GDPR compliance: legal basis, disclosures, data subject rights | Security, confidentiality, and following the contract's terms |
| Liability for a breach | Carries the highest compliance burden and is answerable first | Liable for its own failures; becomes fully liable if it acts outside instructions |
The test that separates the two roles is simple: did you decide why the data is collected and how it is used? If yes, you are the controller. If you only carry out someone else's instructions, you are the processor.
What Is a Data Controller?
A data controller is the natural or legal person, public authority, agency, or other body that determines the purposes and means of processing personal data. This is GDPR Article 4(7). It can decide this alone, or jointly with others. Under the General Data Protection Regulation, the controller decides the "why," the purpose behind collecting the data. It also decides the "how," the tools, systems, and rules used to process it.
A controller exercises overall control over the personal data. It is ultimately in charge of and responsible for the processing. It can be a company, another legal entity, or an individual, such as a sole trader or self-employed professional.
Employees who process data as part of their job are not separate parties. While they act within their duties, they act as an agent of the controller, not a processor in their own right.
What Is a Data Processor?
A data processor is a natural or legal person, public authority, agency, or other body (GDPR Article 4(8)). It processes personal data on behalf of the controller, following the controller's documented instructions. A processor is usually a third party external to the controller's own organization.
A processor serves the controller's interests, not its own. It may make day-to-day operational decisions, such as how to schedule a job or which server handles a task. But it processes personal data only in line with the controller's instructions, unless a law requires otherwise.
The moment a processor starts deciding its own purposes for the data instead of following instructions, it stops being a processor for that processing. That boundary determines liability, covered below.
Who Decides the "Purposes and Means" of Processing?
The role turns on one question: who decides the purposes (the why) and the means (the how) of processing the data?
You are the controller if you decide why the data is collected and how it gets used. You are the processor if you only act on another organization's instructions. "Means" covers the essential, non-technical choices: what data to collect, how long to keep it, and who gets access. It is not just about which software tool does the work.
What Are Joint Controllers?
Joint controllers are two or more organizations that together decide the purposes and means of the same processing (GDPR Article 26). This happens when organizations share a processing operation with common goals, such as a joint marketing campaign or a shared database.
Their participation may be unequal. One organization can hold more decision-making weight than the other, and they are still joint controllers. They must agree, in a transparent arrangement, which GDPR duties each of them handles.
The essence of that arrangement must be available to data subjects. A data subject can exercise their rights against any one of the joint controllers, regardless of what the arrangement says internally. Organizations processing the same data for different purposes are not joint controllers; each is a separate, independent controller instead.
The Controller-Processor Relationship and the Required DPA
Whenever a controller hands personal data to a processor, GDPR Article 28 requires a binding written contract, usually called a data processing agreement (DPA).
The contract must require the processor to:
- Process data only on documented instructions from the controller
- Keep staff bound to confidentiality
- Apply the security measures Article 32 requires
- Not bring in a sub-processor without the controller's prior written authorization
- Help the controller respond to data subject requests
- Delete or return the data once the service ends, unless the law requires retention
- Make information available so the controller can demonstrate compliance
A sub-processor is a processor's own subcontractor. The original processor stays fully liable to the controller if the sub-processor fails to meet these same obligations.
Data Controller vs Data Processor: Examples
Real scenarios make the roles concrete. Each row maps a common relationship to its correct role.
| Scenario | Controller | Processor |
|---|---|---|
| A business stores customer data with a cloud host | The business | The cloud provider (for example, AWS) |
| An employer runs payroll through a payroll company | The employer | The payroll company |
| A gym hires a printer to mail event invitations to members | The gym | The printing company |
| A website owner runs analytics and a consent tool | The website owner | The analytics and consent vendors |
In each case, the left column decided why the data was collected and how it would be used. The right column only acted on those instructions. An SME that hires a bookkeeping service follows the same pattern. The SME is the controller of its financial records, and the bookkeeper is the processor that keeps the books on the SME's behalf.
Responsibilities and Liability: Who Is Accountable for a Breach?
The controller carries primary accountability for GDPR compliance and is first in line if something goes wrong. Processors have their own direct obligations and their own liability too.
The controller must demonstrate compliance with the data protection principles. It must choose processors that give sufficient guarantees and answer to regulators and data subjects for the processing overall. Under GDPR Article 82, a controller is liable for damage caused by processing that infringes the regulation.
A processor is directly liable for breaching its Article 28 duties or for its own security failures. It is liable for damage only where it has not complied with obligations the law directs at processors specifically. The same is true where it acted outside or against the controller's lawful instructions.
The highest-value rule to remember: a processor that acts outside its instructions and decides its own purposes becomes a controller for that processing. It then takes on the full liability of a controller.
Where multiple controllers or processors are involved in the same processing and are found liable, each can be held liable for the entire damage. A data subject can seek compensation from any of them.
Can One Company Be Both a Controller and a Processor?
Yes. The same organization is often a controller for some data and a processor for other data, just not for the same processing.
A SaaS or service company illustrates this well. It is the controller of its own employee records and its customers' account data, because it decides why and how that data is used.
For the client data it handles on a customer's instructions, the same company acts as a processor. That covers records it processes inside its software on a customer's behalf. The role attaches to the specific data and processing activity, not to the company as a whole.
What This Means for Your Website (and Your Cookie Vendors)
If you run a website that collects visitor data, you are almost always the data controller. The tools you install on your site are usually your processors.
That translates into a few concrete duties:
- You decide why and how visitor data is collected, so you own the consent decisions and the privacy notice
- Your analytics, advertising, and consent vendors process that data on your behalf, which makes them your processors
- You should have a data processing agreement in place with each vendor that processes visitor data
- You must disclose those processors in your privacy and cookie policy
This is the everyday version of the controller test above. You set the purpose (running your site, tracking usage, showing ads), and every vendor script on that site runs on your behalf. What the GDPR requires for cookies on your banner exists for that reason. You, the controller, are the one accountable for what those scripts do before a visitor consents.
How Consently Fits Your Role as a Data Controller
As the controller of your visitor data, Consently gives you the records and disclosures that role requires. It does that without turning the legal work into a full-time job.
You stay in charge of why and how visitor data gets collected and used. Consently is one of your processors, and it supplies the controller-side evidence you need to prove it. That includes consent logs, with export, that record every visitor's choice. It also includes cookie and privacy policy generators that disclose the processors and data uses your privacy notice has to list.
Consently also gives you the processor-side contract Article 28 requires: a data processing agreement between Consently and your account. It names its hosting region and a current subprocessor list, with Standard Contractual Clauses available on request. That covers the Article 28 relationship for Consently's own processing of your data.
Cookie auto-blocking stops vendor scripts from firing before a visitor consents. Your other processors do not start processing before you have the legal basis to let them.
Consently does not draft or manage the DPAs between you and your other vendors. It also does not make a site "GDPR compliant" on its own. It supports the specific consent, disclosure, and record-keeping tasks a controller carries. Consently's GDPR cookie consent solution covers the consent side of that job. Try Consently free with a 14-day trial, no credit card required.
FAQs
How do I know if I am a data controller or a data processor?
You are the controller if you decide why and how personal data is used. You are the processor if you only act on another organization's documented instructions for that same processing.
What is an example of a data controller and a data processor?
A business is the controller of its customer data, and the cloud host or payroll firm it hires to process that data is the processor.
Can a data controller also be a data processor?
Yes. The same company is often a controller for its own data, such as employee records. It acts as a processor for client data it handles on a customer's instructions, just never both roles for the same processing activity.
Is a data processor liable under GDPR?
Yes. A processor is directly liable for breaching its Article 28 duties or its own security failures. It becomes a controller, with full controller liability, if it starts deciding its own purposes for the data.
Do I need a contract between a controller and a processor?
Yes. Article 28 requires a binding written contract, usually called a data processing agreement, before a processor can handle the controller's personal data.
Is a website owner a data controller or a data processor?
A website owner is normally the controller of its visitors' data. The analytics, advertising, and consent tools it installs act as processors on the owner's behalf.
What is a sub-processor?
A sub-processor is a subcontractor a processor brings in to help with the processing. The processor needs the controller's written authorization before engaging one.
What is the difference between a data controller, a data processor, and a data owner?
A controller and a processor are GDPR legal roles that describe who decides versus who acts on personal data. "Data owner" is an internal governance term from security frameworks, not a role GDPR defines.

