We’ve been asked “What is a ‘data controller’ or a ‘data processor’ under GDPR?” And “How is a GDPR data processor different from a GDPR data controller?? And even “Can a company be both a data processor and a data controller at the same time under the EU General Data Protection Regulation?” Here are the answers.

By now you are probably aware that GDPR goes into effect on May 25, 2018, and you realize that despite a whole lot of misinformation out there, you do need to comply with GDPR if you are in the United States (or, really, anywhere else).

So you probably started to read the full text of GDPR and found your eyes glazing over, and thus you may be confused as to whether you are a data controller, or a data processor, or maybe even both.

Part of the reason that reading the full text of GDPR can get one so confused is because the full text includes all of the precatory language, which talks a great deal about the obligations of data controllers and data processors before you ever get to the actual definitions, which are contained within the actual law, which you don’t get to until after more than 30 pages of the prefacing language!

Actual Definition and Meaning of Data Controller under GDPR

Here is what makes an organization (or even an individual) a data controller for the purposes of GDPR – this is GDPR’s actual definition of ‘data controller’:

[This info is provided by us. We get you to the inbox. Learn how here.]

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law


Actual Definition and Meaning of Data Processor under GDPR

And here is what makes an organization or an individual a data processor for the purposes of GDPR – this is GDPR’s actual definition of ‘data processor’:

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller


Put in plain English, and for the purposes of making it easy to wrap your head around, essentially a data controller is anyone who, well, controls the personal data of any person. A data controller decides and is in control of what is going to be done with that data, both in terms of securing and storing it, and of using it.

A data processor is any entity who applies any processes to the personal data of others which they have received from someone else for the sole purpose of processing it. They do not themselves determine what is to be done with the data – they simply do the controller’s bidding.

Here is an example:

Acme Widgets uses Great Email Newsletters (“GEN”) to send email newsletter to Acme’s customers. To do so, they upload the list of their customers’ email addresses to GEN.

Acme is the data controller – they have taken their customer’s personal data, which they have acquired and stored, and they have decided to use it to send out an email newsletter (note that under GDPR Acme can only do this if they have first received permission from their customers to use their customers’ email addresses for this purpose).

GEN is the data processor. They were not the ones to initially acquire the email addresses (Acme was). They are not the ones to determine what is to be done with the email addresses (Acme is). Acme is the data controller.

Can a single entity be both a data controller and a data processor? Absolutely. That can take the form of either a) some of their activities make them data controllers and other of their activities make them data processors, OR b) a third-party who both acquires the data on someone else’s behalf (think outsourced sign-up forms where the data is stored on the outsourced servers) and processes that data for the someone else.

Do you have other questions about GDPR? Submit them here.

Want help making sure that you are in compliance with GDPR, or with tightening up your second- and third-party contracts to make sure you are protected from GDPR? Check out our GDPR consulting services.

Prefer to listen to the podcast? Listen on Apple, Google, Amazon, Audible, Spotify, or Anchor or say "Alexa play the Everything Email Marketing podcast"


Full Post Archives

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *

We are ISIPP SuretyMail, the original certified sender program and email deliverability service. Learn more here
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Search in posts
Search in pages
Filter by Categories
Blocklists and Blacklists
Content Issues
Email Authentication
Email List Building
Feedback Loops
Mailing List Hygiene
Monitoring and Tracking
Opt-in Practices
Our News
Privacy & Email Laws
Sending Practices
Spam Complaints
Technical Stuff
The Industry
Need Help Getting to the Inbox?
If you need help getting out of the spam folder and into the inbox, we're here for you. Our deliverability services come with a personal touch, and we get results. That combination has created customer loyalty that's nearly unheard of. (testimonials)
Read what we'll do for you here.

Join our email community and get
How to Stay Out of the Spam Folder 
& How to Grow Your Email List free!

 Get to the Inbox by SuretyMail
The Original Email Deliverability Company

Free stuff!
Skip to content