FAQ
FAQ’s
Am I a data controller or a data processor under GDPR?

Am I a data controller or a data processor under GDPR?

Understanding your role as either a data controller or a data processor under GDPR is crucial for compliance. The distinction between these two roles is based on who determines the purposes and means of processing personal data.

A data controller is an entity (person, company, or organization) that decides:

  1. Why personal data needs to be processed (the purpose)
  2. How it will be processed (the means)

Key characteristics of a data controller include:

  • Decision-making power over data processing activities
  • Determining which data to collect and for what purpose
  • Choosing how long to retain the data
  • Deciding who has access to the data
  • Responsible for ensuring GDPR compliance

Whereas a data processor is an entity that processes personal data on behalf of the controller, following the controller’s instructions.

Key characteristics of a data processor include:

  • Processing data only as instructed by the controller
  • No decision-making power over the purpose of data processing
  • May make some technical decisions about how to process the data
  • Must assist the controller in ensuring GDPR compliance

It’s important to note that an entity can be both a controller and a processor, depending on the specific data processing activity. For example, a company might be a controller for its employee data but a processor when handling customer data for another business.

To determine your role:

  1. Assess who decides why the data is being collected and processed
  2. Evaluate who determines how the data will be processed
  3. Consider whether you’re acting on your own behalf or following another entity’s instructions

Understanding your role is essential because controllers and processors have different obligations under GDPR. Controllers bear primary responsibility for compliance and must ensure that their processors adhere to GDPR requirements. Processors, while having fewer direct obligations, must still implement appropriate security measures and assist controllers in meeting their GDPR obligations.

Was this article helpful?

How can we improve this article?

Related questions

  • Which is the latest version of the PCI DSS compliance?
  • What is the current version of ISO 27001?
  • What is PCI DSS compliance verification?
  • What are PCI DSS compliance milestones?
  • What are the three steps of PCI compliance?
  • What are the functions of PCI?
  • How often must PCI DSS compliance be validated?
  • What is required for PCI DSS compliance?
  • How to reduce PCI DSS cost?
  • Does ISO 27001 require MFA?

Found this useful?

Get SOC 2 compliance
ready in 4 weeks!

Try Sprinto

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.

Contact sales