GDPR Data Controller vs Data Processor: Complete Breakdown

Under GDPR, every organization that handles EU personal data is either a controller, a processor, or both. Your role determines your legal obligations, liability, and what contracts you need. Getting this wrong is one of the most common GDPR compliance mistakes for US companies.

Dimension

GDPR Controller

GDPR Processor

Definition	Determines purposes and means of processing	Processes data on behalf of a controller
Who this is	The company that 'owns' the data relationship with users	Vendors, SaaS tools, cloud providers processing your data
Legal basis	Must have legal basis for processing (consent, contract, etc.)	Relies on controller's legal basis — but can't process beyond instructions
Data subject rights	Must respond to access, erasure, portability requests	Must assist controller in responding to requests
DPA/contract	Must have a DPA with all processors	Must enter DPA with controller; can only use sub-processors with controller approval
Liability	Primarily liable; can claim processor fault for reduction	Liable if breaches DPA or acts outside controller instructions
Breach notification	Must notify supervisory authority within 72 hours	Must notify controller 'without undue delay'
DPIA	Must conduct DPIA for high-risk processing	Must assist controller in DPIA if requested
Record keeping	Must maintain records of processing activities (Art. 30)	Must maintain records of processing on behalf of controllers
Transfer mechanisms	Responsible for lawful international transfers	Must only transfer as instructed by controller

Key Differences

You're a controller when you decide why and how to process data. You're a processor when you follow someone else's instructions. Many companies are both: a SaaS company is a processor for its customers' data but a controller for its own employee and marketing data.

Who Must Comply with Both

SaaS companies (processor to customers, controller for own HR/marketing data)
Agencies processing client data
Cloud providers with their own analytics on customer data

Common Questions

Can a company be both a controller and a processor?

Yes, and many are. A SaaS company processes customer data as a processor (following customer instructions) while also being a controller for its own internal HR, analytics, and marketing data.

Who is liable if there's a data breach?

Both can be liable. The controller is primarily liable to data subjects and supervisory authorities. The processor is liable to the controller if the breach resulted from the processor's fault. The controller can seek indemnification from the processor.

Does every US company that sells to EU companies become a processor?

If you handle EU personal data as part of your service (e.g., your SaaS product stores EU customer data), yes. You'll need a Data Processing Agreement and must comply with processor obligations.

Assess Your Compliance → Framework Guides

More Framework Comparisons