Data controller and data processor

You must have read about processor and controller on many blogs before, therefore you probably know the difference between the two by now. Let’s be honest it isn’t a rocket science, but when it comes to responsibility there are a few things that should be clear.




data controller, data processor, awfulness of processing, GDPR

Let’s start with the short definitions. Data controller is who determines the purposes and means of the processing of personal data, and data processor is the one that is charged by the controller with processing personal data.

It is important that the data processor has only the power over the data that they have received from the controller. If they would also perform any other activity with the data, they would become a data controller.

So far, the regulation does not make much of a difference compared to previous legislation on information self-determination and freedom of information, but it is important to note that GDPR distinguishes another data processor as well. Another processor is who is charged by the processor to process the data.

There is a contractual relationship between the controller and the processor, if the processor involves another processor, then the requirements of the contract related to the controller must be enforced against the other processor.


As far as responsibilities are concerned, the data controller is responsible for everything and in fact that’s all. If an incident occurs at the processors, the controller will be responsible, and the controller will also be responsible for data breach occurring at another processors.

It is not difficult to make a mistake, so the controller’s liability is particularly serious. In our previous post (első poszt linkelve) we mentioned some bad practices, for example the transfer of personal data without adequate protection or storage or use of the data for marketing purposes after the request to delete the person’s personal data.


Due to the main services of Process Solutions, the organization must comply as a data processor and also as a data controller. An organization of more than 500 employees appears as data controller in the role of employer and it appears as data processor to their clients in the course of services.

From any side, ensuring lawfulness of processing is a key issue, which will be discussed in our next post.



Powered by FORTIX Consulting