Data Controller vs. Data Processor: What’s The Difference?

What’s the difference between a data controller and a data processor? What are their responsibilities under GDPR? Learn more in Data Protection 101, our series on the fundamentals of information security.

With the General Data Protection Regulation (GDPR) becoming enforceable on May 25th, 2018, a lot of companies are now making sure that they are GDPR-compliant.

If you are among those who are working with their GDPR compliance journey, then you must have come across the terms “data controller” and “data processor”. Here’s what you need to know about each of these types of entities, important differences, and responsibilities under GDPR.


In GDPR and other privacy laws, the data controller has the most responsibility when it comes to protecting the privacy and rights of the data’s subject, such as the user of a website. Simply put, the data controller controls the procedures and purpose of data usage.

In short, the data controller will be the one to dictate how and why data is going to be used by the organization.

A data controller can process collected data using its own processes. In some instances, however, a data controller needs to work with a third-party or an external service in order to work with the data that has been gathered.

Leave a Reply

Your email address will not be published. Required fields are marked *