All you need to know about GDPR Controllers and Processors

Understanding what GDPR meant as Controller, Processors and their responsibilities.

In the introductory post of this series I have briefly discussed about the GDPR definitions of Controller and Processor, let’s start recalling these definitions.

There are number of similarities between Controllers and Processors, both of these entities can be a natural or legal person, public authority, agency or other body which carried out processing of personal data belong to an individual. A given data processing organization can be either Controller or Processor based on their answers for the following two questions.

  1. Whether the particular organization determine the purpose of the data processing (Why ) ?

If the answer is ‘Yes’ then the organization is a Controller, if the answer is ‘No’ then the organization is a Processor.

Let’s take few examples to explain this concept properly, assume a biscuit manufacturing company delegated a market research company to conduct a research and provide recommendation on what they should target in their new product line in order to reach 10% market growth. This is a very clear goal provided by the biscuit manufacturing company and there is no any other data or conditions provided by the biscuit manufacturing company as well. The marketing research company has the freedom to decide target individuals for the research, what kind of personal data are collecting, what kind of personal data are storing, storage mechanism, approaches of processing data etc. In this example ‘the purpose of the data processing and means of data processing’ is decided by the marketing research company, this means marketing research company is a Controller under the GDPR regulations.

Another example, a payroll management company, they process personal data provided by some other company under their instructions. Usually payroll handling companies don’t determine what the purpose and how to process those payments and related personal data, this means that the particular payroll handling company is a Processor under the GDPR regulations.

Before we conclude this section here is the exact GDPR definitions for Controller and Processor.


‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;


The processor is the entity (that can be natural or legal person, public authority, agency or other body ) which processes personal data on behalf of the controller under the controller’s instructions.

Controllers can be further categorized based on factors such as whether they operate as a single legal entity or not, based on their establishment etc.

Joint Controllers

When more than one controller involving in to decide the purpose and means of processing , those controllers are known as “Join Controllers”, according to the GDPR Join controllers should fulfill following set of requirements.

  1. Each controller should able to demonstrate each of their responsibilities, compliance and obligations to individuals and supervisory authorities in a clear, unambiguous and transparent manner.

Controllers established outside the EU

In addition to general regulations, controllers established outside the EU must appoint a representative and must fulfill following criteria as well.

  1. The representative should be within the EU.

However public authorities, criminal convictions and organizational processing small amount of personal data (not special categories) in occasional basis are excluded from above requirements.

Responsibilities of the Controller

According to the GDPR controllers should ensure to implement appropriate technical and organizational process to be in compliance with the GDPR, additionally controllers should able to demonstrate those technical and organizational process are accordance with GDPR. These changes may include …

  1. implementations of data protection policies.

The controller also subject to following two principles

— Data protection by design According to this principle, at the time of determining the purpose of data processing (planning time) and at the time of actual data processing itself (execution time) controllers should implement appropriate technical and organizational measures, few of the most important measures are given below.

  • Pseudonymization of personal data.

— Data protection by default According to this principle, controllers should only processes personal data required for current purpose of the processing, this also implies collection of only required data and store them and store them only for required duration.

The controllers should only use processors who can provide guarantee and demonstrate their in compliance with the GDPR, the GDPR code-of-conduct and certification elements are helpful to make such decisions. Also controllers should ensure processors process data based on the exact instruction provide by the controller.

The controller should maintain record of data processing including following information.

  1. Name and contact details of the controller, any representative or any data protection officer (DPO).

Conducting a data protection impact assessment (DPIA) depending to the nature of the data processing is also a responsibility of the controller, we will discuss impact assessment in a separate section.

Responsibilities of Processor

  • Processing of personal data by a processor should be always based on documented instructions from a controller.

The processor should maintain record of data processing including following information.

  1. Name and contact details of the processor, associated controllers, any representative or any data protection officer (DPO).

How to behave in a data breach

A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. A data processing organization (controller or processor ) should take every possible measures to eliminate risk of a data breaches but in reality nobody can practically guarantee on 100% security on data or a system, considering this practical risk the GDPR provides comprehensive set of regulations to deal with a data breach incidents which includes

  • how to communicate with supervisory bodies.

It’s mandatory to establish efficient procedures by controllers/ processors for above notifications.

During a data breach following procedure should be followed to communicate with the supervisory bodies.

  • Inform the the data breach within 72 hours.

— Nature of the the data breach.

— Categories of the data breach.

— Approximate number of individual affected.

— Approximate number of data record affected.

— Consequences of the data breach.

— Proposed measures to mitigate the data breach.

During a data breach following procedure should be followed to communicate to individuals.

  1. Communicate to each individual without delays.

Data Protection Impact assessments (DPIA)

The GDPR recommends controllers to carry out a data protection impact assessment (DPIA) depending on the nature of data processing specially when moving to use new technologies. This impact assessment need to be conducted prior to any data processing take place and if the DPO present controllers can seek for advice.

Following are the cases that the GDPR mandate to conduct impact assessments.

  1. Systematically and extensively evaluating personal data using automated processing including profiling.

An impact assessment should focus on following factors.

  • Systematic process of processing.

In case result of an impact assessment indicate a high risk, the controller can consult supervisory authorities for advices, the GDPR have clear guideline what need to be communicated with a supervisory authorities with applicable timeline details.

Data Protection Officer (DPO)

The GDPR introduce a special role called Data Protection Officer (DPO) to provide necessary advices to processing organizations and act as the point of contact for outside works such as individuals and supervisory authorities.

Both controllers and processors can appoint a DPO considering his/her professional qualifications, expert knowledge and ability to perform the assigned task, also one DPO can server for a group of related organizations. A DPO can be a staff member of the organization or can be a contract based individual as well, additionally DPO can perform any other tasks within the organization as far as those activities are not cause any conflict of interest issues.

As per the GDPR compliance, a processing organization should assist to the DPO to carry out his activities and should ensure that the DPO is engaged in any matter related to data protection, additionally the DPO should report to the highest level of the processing organization.

Individuals should contact the DPO to solve any issues related to their personal data and the DPO is bound to keep confidentiality in carrying out his/her duties.

According to the GDPR appointment of the DPO is required in following cases.

  1. Processing is carried out by a public authority expect courts.

GDPR text itself does not provide quantitative interpretation about the phrase “ large amount of data “ but according to Gartner ..

processing more than 5000 individuals data within 12 months then such organizations are inclusive under large amount of data “ phrase. (

GDPR also list out following basic responsibilities for the DPO.

  • Inform and advise staff members on data protection regulations and procedures.

Code-of-conduct and certifications

Under the GDPR regulations associations or other bodies such as professional bodies representing categories of controllers/processors are encouraged to come up with codes-of-conduct, within the limits of GDPR regulation, aiming to facilitate the effective application of GDPR. GDPR regulation provide further details about exact procedure to follow and guidelines to form such code-of-conducts including monitoring mechanism for approved code-of-conducts.

In order to help the controllers/processors to be in compliance with regulation, GDPR encourage the establishment of certification mechanisms and data protection seals. From individuals point of view such certifications and seals help to quickly assess the level of data protection of relevant products and services. You can read further details on certification from GDPR main text.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sagara Gunathunga

Director — Solutions Architecture WSO2 ANZ. Integration and Identity Architect. PMC Member @ The Apache Software Foundation