GDPR Data Controller vs Data Processor: Complete Breakdown
Last updated: 2026-04-05 — ComplianceStack Editorial Team
Under GDPR, every organization that handles EU personal data is either a controller, a processor, or both. Your role determines your legal obligations, liability, and what contracts you need. Getting this wrong is one of the most common GDPR compliance mistakes for US companies.
GDPR Controller vs GDPR Processor: Side-by-Side
| Dimension | GDPR Controller | GDPR Processor |
|---|---|---|
| Definition | Determines purposes and means of processing | Processes data on behalf of a controller |
| Who this is | The company that 'owns' the data relationship with users | Vendors, SaaS tools, cloud providers processing your data |
| Legal basis | Must have legal basis for processing (consent, contract, etc.) | Relies on controller's legal basis — but can't process beyond instructions |
| Data subject rights | Must respond to access, erasure, portability requests | Must assist controller in responding to requests |
| DPA/contract | Must have a DPA with all processors | Must enter DPA with controller; can only use sub-processors with controller approval |
| Liability | Primarily liable; can claim processor fault for reduction | Liable if breaches DPA or acts outside controller instructions |
| Breach notification | Must notify supervisory authority within 72 hours | Must notify controller 'without undue delay' |
| DPIA | Must conduct DPIA for high-risk processing | Must assist controller in DPIA if requested |
| Record keeping | Must maintain records of processing activities (Art. 30) | Must maintain records of processing on behalf of controllers |
| Transfer mechanisms | Responsible for lawful international transfers | Must only transfer as instructed by controller |
Who Needs Both?
- SaaS companies (processor to customers, controller for own HR/marketing data)
- Agencies processing client data
- Cloud providers with their own analytics on customer data
Key Differences Summarized
You're a controller when you decide why and how to process data. You're a processor when you follow someone else's instructions. Many companies are both: a SaaS company is a processor for its customers' data but a controller for its own employee and marketing data.
Frequently Asked Questions
Can a company be both a controller and a processor?
Yes, and many are. A SaaS company processes customer data as a processor (following customer instructions) while also being a controller for its own internal HR, analytics, and marketing data.
Who is liable if there's a data breach?
Both can be liable. The controller is primarily liable to data subjects and supervisory authorities. The processor is liable to the controller if the breach resulted from the processor's fault. The controller can seek indemnification from the processor.
Does every US company that sells to EU companies become a processor?
If you handle EU personal data as part of your service (e.g., your SaaS product stores EU customer data), yes. You'll need a Data Processing Agreement and must comply with processor obligations.
Try ComplianceStack Free
Free risk calculator, compliance quiz, and deadline tracker. No credit card required.
Start Free Assessment →