Controller or processor – why it matters

View as Markdown
3 mins read • Simon • GDPR • 8 October 2025
  1. What happens when roles are misallocated?

Determining whether an actor is a controller or a processor is a foundational legal assessment under the General Data Protection Regulation (GDPR) and dictates how a data processing agreement should be drafted. The role determines the applicable obligations and which party bears responsibility for ensuring that the processing of personal data is lawful.

A controller determines the purposes and means of the processing. A processor acts on the controller’s instructions, without independent discretion over the purpose or the manner in which the data are processed. An incorrect allocation of roles can have legal consequences, particularly if an agreement is missing or does not reflect reality. It matters because:

  • The controller bears primary responsibility for lawful processing and must provide the processor with instructions for the performance of the processing.
  • The processor must not act outside given instructions — if it does, it becomes responsible in its own right.
  • The allocation of roles determines the need for an agreement under Article 28 GDPR (data processing agreement).

What happens when roles are misallocated?

If a company incorrectly assesses a supplier to be a separate controller when, in fact, it acts as a processor, the company may in practice overlook important contractual requirements and obligations under the GDPR. A misallocation of roles can result in fines from the Data Protection Agency and weaker protection for data subjects. It is therefore important to review each cooperation and document the allocation of responsibilities. This provides clarity both internally and to Data Protection Authorities.

In many organisations the boundary between controller and processor is unclear, particularly when using cloud services or advanced system providers. In such cases, a legal analysis of the contract and the service’s actual functionality is often required. To avoid misunderstandings, the company should regularly review its cooperations. If the allocation of roles changes — for example, if a supplier starts using data for its own purposes — this must be governed in writing. It is also prudent to train key personnel internally on how the roles differ.

To clarify responsibilities, the following points can serve as a checklist when assessing roles:

  • Who determines the purposes and means of the processing of personal data?
  • Is the supplier permitted to use the data for its own purposes?
  • Are there clear instructions governing how the data may be processed?
  • Are rights and obligations governed in a comprehensive data processing agreement?

At Morling Consulting, our GDPR consultants help organisations establish the correct allocation of roles and ensure that responsibilities and agreements are appropriately governed.

AML compliance officer reviewing customer due diligence, risk assessment and monitoring alerts, with compliance checklist and legal shield icon.

22 January 2026

Role and responsibilities of the AML specialist – a compliance perspective
Read more
Illustration of a legal professional at a desk with a digital interface showing structured regulatory compliance, internal controls, and AML processes for financial institutions.

21 January 2026

Exemptions for financial activities, prior notification and internal controls under the AMLR
Read more
Lawyer consulting a client at a desk, discussing legal advice and compliance documents, with contract approval icons on screen.

20 January 2026

When to ask a lawyer for faster answers at lower cost
Read more