Search

How can we help?

Icon

GDPR: Who are data controllers and processors?

What is a data controller?

When making decisions or processing personal data, it is important to understand whether your role is a controller or processor as each have different duties and obligations when dealing with personal data.  We have set out below what each role entails. 

What does a controller do?

The Information Commissioner’s Office (ICO) defines a controller as a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.  Ultimately, controllers determine the purposes and means of processing, in particular, what data to process, why and how. They are the main decision-makers and exercise overall control as to how the personal data is processed. 

What does it mean if you are a controller?

It is important to recognise that controllers have the highest level of compliance responsibility and have overall accountability for how personal data is handled. Controllers must:

  • Comply with, and demonstrate compliance with the data protection principles, which are, broadly, to ensure that personal data is:
    • Processed lawfully, fairly and in a transparent manner in relation to individuals;
    • Collected for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes;
    • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
    • Accurate and, where necessary, kept up to date;
    • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
    • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
  • Ensure that individuals can exercise their rights regarding personal data.
  • Implement appropriate technical and organisational security measures to ensure security of personal data.
  • Only use a processor that provides sufficient guarantees that they will implement appropriate technical and organisational measures to ensure their processing meets GDPR requirements.
  • Conduct an assessment of the processor’s guarantees by taking into account the processor’s expert knowledge, reliability and resources and where relevant the processor’s reputation.
  • Enter into a binding contract or other legal act with processors, which must include the following regarding the processing of personal data as a minimum:
    • The subject matter and duration of the processing;
    • The nature and purpose of the processing;
    • The type of personal data and categories of data subject; and
    • The controller’s obligations and rights.

In addition, the following specific terms or clauses must be included in the contract:

    • Processing only on the documented instructions of the controller;
    • Duty of confidence;
    • Appropriate security measures;
    • Using sub-processors;
    • Data subjects’ rights;
    • Assisting the controller;
    • End-of-contract provisions;
    • Audits and inspections.
  • Notify processors of any relevant information which may help the processor meet its duties in providing assistance to the controller in ensuring its compliance with Articles 32-36 of the UK GDPR, which considers security of processing, notification of a personal data breach to the Commissioner, communication of a personal data breach to a data subject, data protection impact assessments and prior consultation.
  • Assess data breaches, and notify personal data breaches to the ICO, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Controllers must also notify affected individuals, if the breach is likely to result in a high risk to their rights and freedoms.
  • Comply with the UK GDPR accountability obligations, such as maintaining records, carrying out data protection impact assessments (DPIAs) and appointing a data protection officer.
  • Pay the ICO a data protection fee unless exempt.
  • Understand their liability: controllers are liable for their own compliance under the UK GDPR and therefore any applicable sanctions, claims and damages.

Can there be more than one controller?

Yes, the UK GDPR defines this as being a ‘joint controllership’, where two or more controllers jointly determine the purposes and means of processing. Joint controllers have shared purposes and can take different forms and combinations. It is important that there is a transparent agreement in place, which sets out each controller’s obligations, roles and responsibilities for UK GDPR compliance.

They are not joint controllers if they are processing the same data for different purposes.

A joint controller can be held liable for non-compliance in exactly the same way as from any sole controller. Each joint controller will be liable for the entire damage caused by the processing, unless it can prove it is not in any way responsible for the event giving rise to the damage. 

 

It is important to understand whether your role is a controller or processor as each have different duties and obligations when dealing with personal data.

What is a processor?

The ICO defines a processor as being “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. Processors are separate legal entities to the controller which act on behalf of, and only on instructions of, the relevant controller, therefore, do not have any purpose of their own in processing the data. 

For example, the controller’s employees are not processors. 

Similarly to controllers, processors will be subject to obligations under the UK GDPR, but contrastingly, processors will be required to report certain matters to the controller. For example, if a data breach was committed, a processor would need to report this to the controller who would then assess whether this would be required to be reported to the ICO or not. It will also need to implement safeguards or security measures, record-keeping and ensuring compliance with the rules of any international data transfers. 

Can I sub-contract to another processor?

Yes, you can do this, but processors must firstly obtain the controller’s written authorisation to use a sub-processor. The processor will be liable for the sub-processors’ compliance so it is important to ensure that there is an agreement in place for this relationship so each party is clear of its obligations, and the processor can comply with its obligations with the controller.

If there are any subsequent changes of sub-processor, this must be authorised by the controller.

Can I be both a controller and a processor? 

Processors may be controllers for some personal data, and processors for other personal data. For example, a processor will be a controller regarding its own employees’ personal data. 

However, you cannot be a controller and a processor for the same processing activity. 

Finally, how does the controller-processor relationship work in practice?

The key is to determine each party’s degree of independence in determining how and in what manner the data is processed as well as the degree of control over it. At one extreme, one party (the client) will determine what personal data is to be processed and provide detailed processing instructions that the other party (the service provider) must follow. The service provider is tightly constrained in what it can do with the data and has no say at all over how it is processed. In this relationship the client is clearly the controller and the service provider is the processor. 

However, it is far more common for a data controller to allow its processor discretion over how the processing takes place using its own expertise. 

Key takeaways

  • Controllers determine the purpose of the data processing, not the processors. 
  • Processors act on the controller/s’ instructions, and although can make a certain decision about the way the processing will be done, has limited control over the data. 
  • It is prudent to have an agreement set up between joint controllers, the controller and processor, and processor and sub-processor so each party understands its obligations and these are documented. 
  • Controllers and processors have a different set of responsibilities, and have various responsibilities when dealing with data breaches.  

If you require further assistance on this topic, please do not hesitate to contact a member of our data protection team. 

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Author profile

About this article

employmentboddy logo
clipboard logo HR Resources

Data Controllers and Data Processors factsheet

This factsheet is a guide for Data Controllers and Data Processors.

Read, listen and watch our latest insights

Pub
  • 09 July 2026
  • Litigation and dispute resolution

The Arbitration Act 2025 – Factsheet

This factsheet outlines the major reforms and key developments introduced by the Arbitration Act 2025, including updates on summary disposal, jurisdictional challenges, emergency arbitrators, arbitrator disclosure duties, and governing law in arbitration proceedings.

art
  • 09 July 2026
  • Immigration

Right to Work Checks are changing from 1 October 2026: Is your business ready?

The Home Office’s new rules, effective 1 October 2026, will overhaul right to work checks and raise the risk of civil penalties for UK businesses.

art
  • 08 July 2026
  • Privacy and Data Protection

ICO prosecutes employee under the Data Protection Act for forwarding client data to his personal email address

The issue of employees taking confidential business information or personal data when moving to a new employer remains a significant concern for businesses.

Pub
  • 07 July 2026
  • Litigation and dispute resolution

Accelerating arbitration: Expedited procedures and key changes in the new ICC Rules – Episode 2

In episode 2, Jack Hobbs (Clarkslegal) and Christopher Howitt (Three Stone) explore how the latest expedited and highly expedited procedures under the ICC Arbitration Rules 2026 are transforming the landscape of dispute resolution.

art
  • 07 July 2026
  • Employment

6 month unfair dismissal rights: What employers need to know

Under the new Employment Rights Act 2025 the minimum period of service required to qualify to bring a statutory claim for unfair dismissal has been reduced from 2 full years to 6 months from 1 January 2027 onwards.  

art
  • 02 July 2026
  • Litigation and dispute resolution

Litigation and Artificial Intelligence: Where are we now?

In the recent case of Cork and another v Smith, the High Court publicly admonished a law firm and two of its solicitors after they had produced and submitted two AI-generated letters to the court containing misleading and false information in relation to a block transfer application made under Rule 12.37 of the Insolvency (England and Wales) Rules 2016.