Controller or processor? What are we?
The importance of establishing if an organisation is acting as a processor or controller
On paper the definitions of controller and processor under GDPR (& UK GDPR) may seem straight-forward, but deciding whether you’re acting as a controller, joint-controller or processor can sometimes be a contentious area. Many a debate has been had between DPOs and lawyers when trying to classify the relationship between different parties.
It’s not unusual for it to be automatically assumed all suppliers providing a service are acting as processors, but this isn’t always the case. Sometimes joint controllership, or separate distinct controllers, is more appropriate. Or perhaps a company is simply providing a service, and is not processing the client’s personal data (other than minimal contact details for a couple of employees).
It’s worth noting service providers (aka suppliers or vendors) will often act as both, acting as controller and processor for different processing tasks. For example, most will be a controller for at least their own employee records, and often for their own marketing activities too.
What GDPR says about controllers and processors
The GDPR tells us a controller means ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’.
A processor means ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.
How to decide if we’re a controller or processor
There are some questions you can ask to help reach a conclusion:
■ Do we decide how and what personal data is collected?
■ Are we responsible for deciding the purposes for which the personal data is used?
■ Do we use personal data received from a client/partner for our own business purposes?
■ Do we decide the lawful basis for the processing tasks we are carrying out?
■ Are we responsible for making sure people are informed about the processing? (Is it our privacy notice people should see?)
If you’re answering ‘yes’, to some or all of these questions, it’s highly likely you’re a controller.
The ICO makes it clear it doesn’t matter if a contract describes you as a processor; “organisations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services”.
A processor only processes a controllers’ personal data on their behalf and crucially doesn’t use this data for its own business purposes. While a processor may make its own day-to-day operational decisions, it should only process the data in line with the controller’s instructions, unless required to do otherwise by law.
Sometimes overlooked is the fact even if a handful of employees of a service provider only have access to a controller’s personal data it still means the service provider is ‘processing’ the data, and will be a processor.
Why it’s important to confirm your status
Controllers have a higher level of accountability. They are obliged to comply with all data protection principles, such as ensuring the lawfulness of processing, being transparent (e.g. privacy notices), fulfilling privacy rights requests and so on.
Processors do have a number of direct obligations, such as being required to implement appropriate technical and organisation measures to protect personal data. A processor is also responsible for ensuring the compliance of any sub-processors it may use to fulfil their services to a controller. In fact processors are liable for the sub-processors.
The ICO issued a £3m fine to a software company in March 2025 for failing to implement sufficient measures, which you can read about here.
Data processing agreements
There’s a requirement to have an appropriate agreement in place between a controller and a processor. Article 28 of EU / UK GDPR sets out specific requirements for what must be included in the contractual terms.
Such terms are often covered in a Data Processing Agreement/Addendum, but sometimes will be covered in a specific section on data protection within the main contract. (If there’s no DPA, no addendum and no section on data protection that’s a massive red flag!)
Often overlooked is the need to have clear documented instructions from the controller. It can be helpful to have these as an annex to the main contract (or master services agreement), so they can be updated if the processing changes. We’ve written more about the detail of what needs to be covered in contractual terms here. Another area which can get forgotten is sub-processors and international data transfers.
There are times where you’re looking to engage the services of a household name, a well-known and widely used processor. This sometimes leads to limited or no flexibility to negotiate contractual terms. In such cases, it pays to check the terms and, if necessary, take a risk-based view on whether you wish to proceed or not.
Before even looking at the terms, due diligence on prospective processors is a ‘must do’ for controllers, while taking an approach proportionate to the level of risk the outsourced processing poses. And for their part processors need to be prepared to prove their data protection and information security credentials.