Support with GDPR for data controller vs processor assessments
Determining who is the data controller and who is the data processor is critical to meeting the requirements of the General Data Protection Regulation (GDPR). An incorrect assessment can have legal consequences. Many organisations turn to us for help with GDPR when roles are unclear or new collaborations need to be formalised. We offer hands-on GDPR support in practice — from role analysis to data processing agreements and impact assessments.
Data controller vs processor
The party that decides the purposes and means of the processing of personal data is the controller. A processor, by contrast, processes data on behalf of the controller and must not act independently as to purpose or method. The assessment must be made case by case and based on the factual circumstances, not merely on contractual wording.
In practice, a controller bears full responsibility for ensuring that the processing of personal data complies with GDPR — including informing data subjects, documenting purposes and ensuring a lawful basis for processing. A processor may act only on processing instructions and has no independent responsibility for, for example, the purpose of collection or the retention period. If the processor starts taking its own decisions about the processing, its role in effect becomes a separate controller. It is therefore essential not only to draft contracts but also to ensure that roles are followed in day-to-day operations.
Joint controllers and Article 26 GDPR
Where two or more parties jointly determine the purposes and means, they are joint controllers. A clear arrangement is then required that allocates responsibilities in accordance with Article 26 GDPR — commonly referred to as a joint controllership agreement or a GDPR joint controller agreement. This is typical where both parties influence the purposes and means of the processing.
In practice, joint controllership often arises where a company and a partner operate a shared customer portal, a recruitment system or a loyalty programme. Both parties use the same data for their own purposes and have jointly decided what to collect and how to use it. In such cases there must be a joint controller arrangement in which roles, responsibilities and communication with data subjects are clearly defined — even if one party performs more of the operational processing.
Data controller vs processor: contractual and operational consequences
The distinction between roles affects both contractual content and incident responsibility. A data processing agreement must contain certain mandatory clauses under Article 28, and processing instructions must be precise. At the same time, organisations must ensure that the role allocation matches the processing of personal data in practice. For many businesses this means support with GDPR across analysis and documentation, including role analysis, lawful basis for processing, purpose of collection and retention period.
Need expert GDPR support?
Do you need help with GDPR issues related to role allocation? Morling Consulting provides analysis, contracts and advisory services — our experienced GDPR lawyers ensure the right roles, controls and routines are in place, including controller vs processor assessments and joint controllers arrangements.
