Skip to content
LegalVision

What is the Difference Between a Controller and Processor Under the GDPR?

Avatar photo

By Jessica Anderson
Senior Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Summarise with: ChatGPT logo ChatGPT Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

Depending on your business model, you may need to comply with the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR applies both to businesses within the EU and to some in Australia. If the GDPR covers your business, you will need to determine whether you are a “controller” or a “processor” of personal information, or both. Depending on whether you are a controller or processor will determine what your obligations are under the GDPR. This article will explain the difference between a controller and processor of data under the GDPR.

Who Does the GDPR Apply To?

The first step is to determine whether the GDPR applies to your business. The GDPR applies to businesses that:

  • are physically located in the EU;
  • target their goods or services to individuals in the EU; or
  • monitor individuals in the EU.

For example, simply allowing EU individuals to access your website does not necessarily mean you have to comply. However, if you offer products in a European currency, you will likely need to comply with the GDPR.

If the GDPR applies to your business, the next step is to assess the way you process personal data, as either a controller or a processor. 

What is a Controller?

A controller is an entity that decides which personal data to collect from individuals. They then also decide how they will use that data. 

For example, if you are an online retailer and you collect the contact details of your customers, you are deciding which information to collect and are a controller. 

If your company is a controller, you will process data on many different occasions. 

For example, this may be when you:

  • collect contact details to communicate with customers; 
  • run analytics on your app to look for trends with the way users engage with your app; and
  • use cookies on your website. 

Each time you process data as a controller, you will need to choose a legal basis on which to do so. The table below explains the legal bases available to you.

ConsentThe individual has consented to you processing their personal data.
Performing a contractThe processing is a part of your obligations under a contract you have with the individuals.
Vital interestsThe processing is necessary to protect the vital interests of the individual.
Public interestThe processing is necessary for performing a task in the public interest.
Legal obligationYou are processing to comply with your businesses’ legal obligation.
Legitimate interests Processing is necessary for your businesses’ legitimate interests (this is self-assessed by you).

What is a Processor?

A processor is a business which is instructed to process personal data by a controller. This often occurs in the context of performing services for that controller. 

For example, a third-party payment processor (TPPP) like PayPal, that processes payments on behalf of an online retailer. Here, the retailer is a controller and the TPPP is a processor.

To slightly complicate the matter, the TPPP could also be a controller in this situation if it holds the contact details of a key contact or employee of the online retailer. Businesses can be controllers of some information and processors of other information. The distinguishing factor is who makes the decisions on: 

  • which information is collected; and
  • how to use the information.

Data Processing Agreements

The GDPR requires that controllers and processors have an agreement in place with their respective processors and controllers. Called a data processing agreement, this document should set out the way each party handles personal data. Importantly, this allows controllers to ensure that processors adhere to the same obligations that they are required to uphold.

For example, a mobile app business that collects its users’ personal data is a controller. The business may also use a developer to provide ongoing development for the app. While building and updating the app, that developer may use and analyse the personal data originally collected by the app business.

Here, the developer is acting as a processor. The app business will have obligations under the GDPR and will need to make sure that the developer will comply with these responsibilities.

To ensure that processors fulfil the privacy obligations of a controller, it is a good idea to use a data processing agreement that sets out how they must handle the personal data.

Non-Compliance With the GDPR

There are many other obligations that you will need to comply with under the GDPR. If you fail to do so, your business may face investigations and fines by EU regulators.

For example, in January 2019, a French regulator fined Google €50 million (approximately AUD$79 million) for not adequately obtaining informed consent from individuals.

In the future, the EU regulators may investigate and impose sanctions on Australian businesses operating in the EU.

Key Takeaways

If the GDPR applies to your business, it is crucial to know whether you are a controller or processor. This is important as controllers and processors have different compliance obligations under the GDPR. If you fail to comply with the GDPR, your business may face large fines.

For more information on your business obligations, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.   

Register for our free webinars

Avoiding NDIS Pitfalls: Key Breaches and How to Prevent Them

Online
Understand NDIS pitfalls and reduce the risk of breaches affecting your business. Register for our free webinar.
Register Now

Demystifying M&A: What Every Business Owner Should Know

Online
Understand the essentials of mergers and acquisitions and protect your business value. Register for our free webinar.
Register Now

Social Media Compliance: Safeguard Your Brand and Avoid Common Pitfalls

Online
Avoid legal pitfalls in social media marketing and safeguard your brand. Register for our free webinar.
Register Now

Building a Strong Startup: Ask a Lawyer and Founder Your Tough Questions

Sydney Office
Join LegalVision and Bluebird at the Spark Festival to ask a lawyer and founder your startup questions. Register now.
Register Now
See more webinars >
Jessica Anderson

Jessica Anderson

Senior Lawyer | View profile

Jessica is a Senior Lawyer in LegalVision’s Commercial Contracts team. From day to day, Jessica enjoys preparing contracts to suit her clients’ needs, and walking clients through key-risk issues whether within a contract or within the broader regulatory landscape, from privacy law, consumer law, or community gaming and charities law.

Qualifications: Bachelor of Laws, Graduate Diploma of Legal Practice, Macquarie University.

Read all articles by Jessica

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

EU Visitors Access My Website: Do I Need to Comply with the GDPR?

General Data Protection Regulation (GDPR) Compliance Checklist

Differences Between the EU General Data Protection Regulation (GDPR) and the Australian Privacy Principles (APPs)

What Does Google’s GDPR Ruling Mean for My Business?

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards