Skip main navigation

Who are controllers and processors?

Who are data controllers, joint controllers and processors under the GDPR? Watch Melania Tudorica explain more.

Who are data controllers, joint controllers and processors and what are their obligations? Watch this video to find out more.

The definitions in Article 4 GDPR determine who controllers and processors are. Controllers are those who determine the purposes and means of processing personal data. Processors are those engaged in processing personal data on behalf of controllers. To identify controllers and processors, the key is thus to establish who determines the purposes and means of data processing. Purposes and means meaning are the reasons and modalities for collecting personal data: which data is collected for what reason, why is this data collected and what will it be used for? The actor who determines this is the controller and the actor who assists the controller in processing activities is the processor.

To make this more clear: if you visualise a ship and imagine that it is processing data, the controller is the captain and the processors are the sailors. A controller manages and controls the processing of the data (the ship), he determines the purpose (the destination), and the means (or the course of the voyage). A processor is contracted by the controller to carry out data processing for the purpose and with the means determined by the controller. Processors (sailors) act under captain’s instruction and report issues to the controller.

For example, a company has personnel and clients. It needs to have an administration with personal data on its staff and clients (name, date of birth, address, etc.). This administration is kept in electronic files. It will need an IT infrastructure to facilitate this. If the company decides to contract external parties for salary administration and IT, the company determines which data is processed for what reason. The company is the controller because it determines the purposes and means. The external parties process the data on behalf of the company and under its instructions. The salary administration and IT services are processors.

Both controllers and processors have responsibilities and obligations under the GDPR.

This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now