Skip to main content

Glossary International law

GDPR controller and processor

Also: data controller, data processor, GDPR Article 4

Origin: Regulation (EU) 2016/679 (GDPR), Articles 4(7) and 4(8); operational machinery in Article 28.

The two principal categories under which an entity that handles personal data is regulated under the EU General Data Protection Regulation. The controller determines the purposes and means of processing; the processor processes personal data on behalf of a controller under contract. The distinction governs the allocation of responsibility and the contractual machinery required between the two.

Reviewed

The General Data Protection Regulation distinguishes two principal categories under which an entity that handles personal data is regulated. The “controller”, defined in Article 4(7), is the natural or legal person that “alone or jointly with others, determines the purposes and means of the processing of personal data” — the entity that decides what data is collected, why, and what is done with it. The “processor”, defined in Article 4(8), is the natural or legal person that “processes personal data on behalf of the controller” — the entity that handles the data only as instructed.

The distinction governs the allocation of legal responsibility. The controller is the primary obligor under the regulation: it owes the data-subject rights (access, rectification, erasure, portability), it owes lawful-basis discipline (Article 6), it owes accountability (Article 5(2)), and it is the entity supervisory authorities look to first for compliance. The processor owes a narrower set of duties — to process only on documented instructions, to maintain confidentiality, to assist the controller in meeting its obligations, and to operate under a written contract with content prescribed by Article 28.

For an offshore-hosting operator the classification matters operationally. A pure infrastructure-as-a-service operator that does not look at customer data, does not derive metadata for advertising, and does not aggregate across tenants is in the processor role: the subscriber controlling the workload is the controller, the operator is processing on instructions. An operator that runs a managed editorial product (for instance, the publication’s own journal) is in the controller role for that product’s data. The two roles can be held simultaneously across different services within the same legal entity, and the Privacy policy sets out which role OffshorePress occupies for which surface.

The role classification is also what determines whether Schrems II transfer machinery applies, since the prohibition on third-country transfer without adequate protections binds controllers and processors separately.