Differences Between Controller and Processor Under GDPR Rules

One of the changes that will be introduced with General Data Protection Regulation (GDPR) in 2018 includes the delineation of specific obligations on data controllers and processors.

Contrary to the current law, the new data protection regulations place statutory responsibilities on data processors. In this case, it is advisable for companies to be in a position to determine whether they are data controllers or processors. This is increasingly important because it would help them know their obligations as stipulated in the regulations and strictly conform to them. In addition, it would be easy to determine the entity with data protection obligations during a data breach.

Data Controllers

The General Data Protection Regulation retains the definitions of data controllers and data processors as they are in the current law. A controller is an entity that determines, either singly or with others, the kind of data that should be collected and how it is used. Data controllers have critical legal duties. There are various ways that help to determine if one is a controller or a processor. For Instance, A payroll processing firm is categorized as a processor but its customers become the controllers of personal data.

Responsibilities of a Controller

The data controller is expected to demonstrate that its data processing activities comply with the regulations under the principle of accountability. These include fairness, transparency, storage limitations, integrity, data minimization, accuracy and confidentiality of personal data. A controller can achieve this by imposing a code of conduct on the processors.

They are also obligated to implement measures that will guarantee compliance with the requirements from the start. This is what is known as privacy by design. Controllers are obliged to have in place technical and organizational measures that ensure processing is limited to the necessary course and is secure by default.

In other words, they have to ensure privacy by default as espoused in Article 25. Some of the measures that would ensure achievement of this principle include duty allocation for data protection, performing impact assessment, establishing a risk mitigating plan, pseudonymizing personal data and practicing data minimization in a bid to satisfy the requirements. The impact assessment may be required in particular cases like automated processing including profiling.


Unlike controllers, processors are public authority or agencies that hold or process data on behalf of the controller. Due to the critical role they play in data processing, the new EU regulation requires due diligence in the selection of the processors and a written contract that obliges them to adhere strictly to the instructions of the controllers and regulatory authorities. Their actions and processes must always observe GDPR.

Data Processors’ Responsibilities

Data processors are obligated by law to appoint a Data Protection Officer (DPO) in some circumstances. Appointment of DPOs is a responsibility that is required of both controllers and processors. Circumstances that require the appointment of a DPO include cases where regular monitoring of large-scale data processing is required or if the data being processed is sensitive or relates to criminal convictions.

The processors are obliged to obtain a prior written consent in order to use sub-processors. This consent allows them to bind the sub-processors contractually to the responsibilities they have and follow the same instructions given by data controllers and supervisory authorities. Sub-processors must also conform to GDPR requirements. They are expected to comply with the regulatory rules for moving data to non-EU/EEA countries (European Union/The European Economic Area). In this case, the processor remains responsible for the decisions or mistakes made by the sub-processor.

The processors will be expected to cooperate with data controllers in a bid to attain compliance with the rules of impact assessment. The processors will also be expected to respond to complaints and inquiries. They will also attend to data subjects when they exercise their rights such as the right of access, erasure, objection, processing restrictions or temporary processing suspensions.