How can we help?


GDPR: Who are data controllers and processors?

What is a data controller?

When making decisions or processing personal data, it is important to understand whether your role is a controller or processor as each have different duties and obligations when dealing with personal data.  We have set out below what each role entails. 

What does a controller do?

The Information Commissioner’s Office (ICO) defines a controller as a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.  Ultimately, controllers determine the purposes and means of processing, in particular, what data to process, why and how. They are the main decision-makers and exercise overall control as to how the personal data is processed. 

What does it mean if you are a controller?

It is important to recognise that controllers have the highest level of compliance responsibility and have overall accountability for how personal data is handled. Controllers must:

  • Comply with, and demonstrate compliance with the data protection principles, which are, broadly, to ensure that personal data is:
    • Processed lawfully, fairly and in a transparent manner in relation to individuals;
    • Collected for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes;
    • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
    • Accurate and, where necessary, kept up to date;
    • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
    • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
  • Ensure that individuals can exercise their rights regarding personal data.
  • Implement appropriate technical and organisational security measures to ensure security of personal data.
  • Only use a processor that provides sufficient guarantees that they will implement appropriate technical and organisational measures to ensure their processing meets GDPR requirements.
  • Conduct an assessment of the processor’s guarantees by taking into account the processor’s expert knowledge, reliability and resources and where relevant the processor’s reputation.
  • Enter into a binding contract or other legal act with processors, which must include the following regarding the processing of personal data as a minimum:
    • The subject matter and duration of the processing;
    • The nature and purpose of the processing;
    • The type of personal data and categories of data subject; and
    • The controller’s obligations and rights.

In addition, the following specific terms or clauses must be included in the contract:

    • Processing only on the documented instructions of the controller;
    • Duty of confidence;
    • Appropriate security measures;
    • Using sub-processors;
    • Data subjects’ rights;
    • Assisting the controller;
    • End-of-contract provisions;
    • Audits and inspections.
  • Notify processors of any relevant information which may help the processor meet its duties in providing assistance to the controller in ensuring its compliance with Articles 32-36 of the UK GDPR, which considers security of processing, notification of a personal data breach to the Commissioner, communication of a personal data breach to a data subject, data protection impact assessments and prior consultation.
  • Assess data breaches, and notify personal data breaches to the ICO, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Controllers must also notify affected individuals, if the breach is likely to result in a high risk to their rights and freedoms.
  • Comply with the UK GDPR accountability obligations, such as maintaining records, carrying out data protection impact assessments (DPIAs) and appointing a data protection officer.
  • Pay the ICO a data protection fee unless exempt.
  • Understand their liability: controllers are liable for their own compliance under the UK GDPR and therefore any applicable sanctions, claims and damages.

Can there be more than one controller?

Yes, the UK GDPR defines this as being a ‘joint controllership’, where two or more controllers jointly determine the purposes and means of processing. Joint controllers have shared purposes and can take different forms and combinations. It is important that there is a transparent agreement in place, which sets out each controller’s obligations, roles and responsibilities for UK GDPR compliance.

They are not joint controllers if they are processing the same data for different purposes.

A joint controller can be held liable for non-compliance in exactly the same way as from any sole controller. Each joint controller will be liable for the entire damage caused by the processing, unless it can prove it is not in any way responsible for the event giving rise to the damage. 


Melanie Pimenta

Senior Solicitor

View profile

+44 118 960 4653

It is important to understand whether your role is a controller or processor as each have different duties and obligations when dealing with personal data.

What is a processor?

The ICO defines a processor as being “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. Processors are separate legal entities to the controller which act on behalf of, and only on instructions of, the relevant controller, therefore, do not have any purpose of their own in processing the data. 

For example, the controller’s employees are not processors. 

Similarly to controllers, processors will be subject to obligations under the UK GDPR, but contrastingly, processors will be required to report certain matters to the controller. For example, if a data breach was committed, a processor would need to report this to the controller who would then assess whether this would be required to be reported to the ICO or not. It will also need to implement safeguards or security measures, record-keeping and ensuring compliance with the rules of any international data transfers. 

Can I sub-contract to another processor?

Yes, you can do this, but processors must firstly obtain the controller’s written authorisation to use a sub-processor. The processor will be liable for the sub-processors’ compliance so it is important to ensure that there is an agreement in place for this relationship so each party is clear of its obligations, and the processor can comply with its obligations with the controller.

If there are any subsequent changes of sub-processor, this must be authorised by the controller.

Can I be both a controller and a processor? 

Processors may be controllers for some personal data, and processors for other personal data. For example, a processor will be a controller regarding its own employees’ personal data. 

However, you cannot be a controller and a processor for the same processing activity. 

Finally, how does the controller-processor relationship work in practice?

The key is to determine each party’s degree of independence in determining how and in what manner the data is processed as well as the degree of control over it. At one extreme, one party (the client) will determine what personal data is to be processed and provide detailed processing instructions that the other party (the service provider) must follow. The service provider is tightly constrained in what it can do with the data and has no say at all over how it is processed. In this relationship the client is clearly the controller and the service provider is the processor. 

However, it is far more common for a data controller to allow its processor discretion over how the processing takes place using its own expertise. 

Key takeaways

  • Controllers determine the purpose of the data processing, not the processors. 
  • Processors act on the controller/s’ instructions, and although can make a certain decision about the way the processing will be done, has limited control over the data. 
  • It is prudent to have an agreement set up between joint controllers, the controller and processor, and processor and sub-processor so each party understands its obligations and these are documented. 
  • Controllers and processors have a different set of responsibilities, and have various responsibilities when dealing with data breaches.  

If you require further assistance on this topic, please do not hesitate to contact a member of our data protection team. 

About this article

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Melanie Pimenta

Senior Solicitor

View profile

+44 118 960 4653

About this article

Read, listen and watch our latest insights

  • 01 June 2023
  • Employment

Facts employees should know about their personal data

We previously published an article on facts an employer should know about holding personal data, so it is only fair that we also write about the other side of the coin – facts employees should know as individuals whose personal data is held by their employer.

  • 01 June 2023
  • Immigration

What is the Immigration Skills Charge (ISC) and how much do you have to pay?

The Immigration Skills Charge (ISC) is a levy on companies who sponsor migrant workers. This levy was imposed on 6 April 2017. The Government states that the charge has been levied to contribute towards addressing the skills gap in the local economy.

  • 26 May 2023
  • Employment

Avoiding discrimination in flexible working requests

The right to request flexible working is currently available to employees with at least 26 weeks’ service and is set to be extended further under new Government reforms.

  • 25 May 2023
  • Corporate and M&A

Management Buyout – Top 5 things to consider

A management buyout is a financial transaction in which a member of the management team purchases the company from its registered owner. MBO’s usually occur in private companies in an effort to enhance profitability and simplify strategies.

  • 25 May 2023
  • Employment

Carer’s Leave Bill set to become law

On 19 May 2023, the Carer’s Leave Bill had its third reading in the House of Lords, and upon receiving Royal Assent, will become law. There is not yet a date for the implementation of this bill, however it is likely that this will happen relatively quickly upon receiving Royal Assent, so is definitely one to keep an eye on.

  • 18 May 2023
  • Immigration

Navigating SOC Codes

When it comes to UK immigration, understanding the intricacies of the system is vital. One significant aspect of the process revolves around Standard Occupational Classification (SOC) codes. SOC codes play a crucial role in determining the eligibility for an individual to apply for a work visa, assessing skill levels, and matching individuals to appropriate job roles.