CIPP/E Domain 2: Understanding Controllers and Processors Under GDPR

In today’s data-driven economy, organizations do not just use data; they rely on it to innovate, automate, market, and compete. But with opportunity comes responsibility. The European Union reshaped global privacy expectations through the GDPR, establishing a clear accountability framework for how personal data is handled.

At the heart of this framework lies a fundamental question: Who decides how personal data is used, and who carries out those decisions?

The answer revolves around two core roles defined in the GDPR: data controllers and processors. Understanding the distinction between these roles is critical not only for compliance but also for contractual clarity, risk allocation, and governance maturity.

Controllers and Processors: Who Does What?

The concepts of controller and processor, introduced in the Data Protection Directive and retained in the GDPR, define who holds responsibility and decision-making power over personal data. Although often complex in practice due to modern business and IT structures, these roles are essential for understanding compliance obligations and accountability.

Data Controller: A data controller is an individual or organization, such as a public authority, agency, or other entity that decides the purposes and methods of processing personal data.

In simple terms:

The controller decides why and how personal data is processed.

Core Responsibilities of a Controller

• Controllers carry primary accountability under the GDPR and must:
• Ensure lawful processing (identify a valid legal basis)
• Provide transparency through privacy notices
• Respect data subject rights (access, erasure, rectification, etc.)
• Conduct Data Protection Impact Assessments (DPIAs) where required
• Implement appropriate technical and organizational security measures
• Notify supervisory authorities and affected individuals in case of a breach
• Ensure lawful international transfers
• Maintain records of processing activities (where applicable)

Controllers may operate:

• Alone
• As joint controllers (sharing decision-making authority)
• Within complex corporate structures

Joint Controller

Joint controllership often appears in partnerships, co-branded platforms, shared databases, analytics collaborations, or marketing campaigns where more than one party influences how personal data is used. In such cases, Article 26 requires a transparent arrangement that explains each party’s responsibilities.

When acting jointly, responsibilities must be transparently allocated.

How the Role of Controller Arises

An entity may become a controller through:

• Legal designation explicitly defined by law
• Functional role determined by operational context
• Factual influence actual decision-making power over data use

What matters is real decision-making authority, not job title or contract wording.

Data Processor: A data processor is an individual or organization that handles personal data on behalf of the controller. While processors must comply with specific GDPR obligations (e.g., data security, breach notification, lawful international data transfers), they act strictly under the controller’s documented instructions. If a processor determines the purposes or essential means of processing, it may be reclassified as a controller.

Core Responsibilities of a Processor

• Process data only on documented instructions from the controller
• Ensure confidentiality of personnel handling the data
• Implement appropriate security measures
• Support controllers in responding to data subject requests
• Support DPIAs and risk assessments
• Notify the controller without undue delay of breaches
• Delete or return data after contract termination
• Allow audits and inspections by the controller

Use of sub-processors requires prior authorization from the controller, and the main processor remains fully liable for its sub-processors.

Article 28 Processor Contract Requirements

Under Article 28 GDPR, controllers must use processors that provide sufficient guarantees for security and GDPR compliance. The controller-processor relationship must be defined by a written contract covering processing instructions, confidentiality, security, sub-processors, breach support, deletion/return of data, audits, and assistance with compliance duties.

Distinguishing Roles of Data Controller and Data Processor

Key factors to differentiate roles include:

• Who determines the purpose of processing?
• Who decides essential means (type of data, retention period, sharing practices)?
• Who interacts directly with data subjects?
• Who bears the primary compliance risk?
• Degree of instruction and oversight

In short, controllers decide the “why and how” of data processing, while processors carry out the “how” under the controller’s direction. Understanding these roles is critical for legal compliance and accountability under the GDPR.

In Conclusion

Clearly defining the responsibilities of the controller and the processor is essential for GDPR compliance. Controllers carry primary accountability because they decide the purpose and essential means of processing, while processors act under the controller’s documented instructions and must meet specific GDPR obligations.

To be continued: Data Subject Rights

CIPP/E Certification Training with InfosecTrain

For privacy professionals, mastering these roles goes beyond legal terminology. It helps build stronger privacy governance, clearer contracts, better accountability, and more confident GDPR compliance in real-world business scenarios. If you want to build practical expertise in GDPR responsibilities, controller-processor agreements, data subject rights, breach obligations, and European privacy compliance, structured training can help you move from theory to real-world application.

Take the next step with InfosecTrain’s CIPP/E European Privacy Training and strengthen your knowledge of GDPR concepts that matter in today’s privacy-driven business environment.

TRAINING CALENDAR of Upcoming Batches For CIPP European Privacy Online Training

Start Date	End Date	Start - End Time	Batch Type	Training Mode	Batch Status
13-Jul-2026	28-Jul-2026	20:00 - 22:00 IST	Weekday	Online	[ Close ]
08-Aug-2026	29-Aug-2026	09:00 - 13:00 IST	Weekend	Online	[ Open ]	Enroll Now
07-Sep-2026	22-Sep-2026	20:00 - 22:00 IST	Weekday	Online	[ Open ]	Enroll Now
10-Oct-2026	25-Oct-2026	09:00 - 13:00 IST	Weekend	Online	[ Open ]	Enroll Now
16-Nov-2026	01-Dec-2026	20:00 - 22:00 IST	Weekday	Online	[ Open ]	Enroll Now
05-Dec-2026	20-Dec-2026	09:00 - 13:00 IST	Weekend	Online	[ Open ]	Enroll Now