What is the difference between a controller and a data processor?

A controller decides why and how personal data are processed, while a data processor only processes personal data on the controller’s instructions. We help you analyse your processing so you know when you act as controller, data processor or joint controller.

When do we need a data processing agreement?

You need a data processing agreement whenever an external party processes personal data on your behalf, for example when you use cloud services, outsourced marketing or other suppliers with access to personal data. We draft, review and negotiate these agreements so your processing is clearly regulated and aligned with GDPR.

How can Morling Consulting support us in matters relating to data processors?

We support you with role assessments, drafting and reviewing data processing agreements, advice on security measures and documentation, and practical guidance on cooperation between controllers, processors and joint controllers. Our advisory is tailored to your structure, needs and cross-border processing across Europe.

Data processor

What is a data processor?

A data processor is an external party engaged to carry out specific tasks. Typical examples include services for marketing, data analytics and administrative systems. Where one organisation sells a service to another and processes personal data on the buyer’s instructions, the seller acts as the data processor for the buyer.

Processing personal data on the buyer’s instructions means the seller must follow the guidelines set by the controller. The data processor has a defined mandate to perform certain processing on behalf of the controller, who determines the purposes and means of the processing.

Where a processor relationship exists, GDPR requires a data processing agreement to be in place. This agreement sets the scope and purpose of the processing and the categories of personal data involved, and clarifies the processor’s rights and obligations.

In some cases, multiple parties may share responsibility as joint controllers. They must coordinate to ensure all legal requirements are met.

Business professionals reviewing a contract and laptop at a meeting, discussing their role and obligations as a Data processor under GDPR.

How can Morling Consulting help?

Morling Consulting drafts, reviews and negotiates data processing agreements and provides ongoing advisory support on compliance. Our support reduces the risk of acting contrary to the contract or GDPR by giving you clarity on interpretation and application. Our services include:

Assessing whether your organisation acts as controller, data processor or joint controller.
Developing data processing agreements to regulate the relationship correctly.
Helping to identify and define the purposes and means of processing.
Advising on the legal obligations attached to each role.
Advising on joint controllership and allocation of responsibilities.

We also assess the roles of parties in collaborations involving personal data processing. Correctly identifying whether you are a controller, a data processor or operating under joint controllership is essential to meeting GDPR requirements across Europe.

Primary responsibilities

GDPR data processor: core responsibilities

A data processor must implement appropriate technical and organisational measures proportionate to the risks posed by the processing. This may include encryption, access controls and regular security reviews. These measures must align with the controller’s instructions.

Beyond security, the data processor must support the controller in handling data subject requests and in notifying and managing any data breaches or other personal data incidents.

In summary, the GDPR data processor plays a key role in enabling compliance. By following GDPR requirements and cooperating closely with the controller, processors help ensure compliance is maintained. The data processor’s main responsibilities include:

Processing data only in accordance with the controller’s instructions.
Entering into and acting under a data processing agreement that defines the purpose, scope and rules for processing.
Implementing technical and organisational security measures to protect personal data.
Assisting the controller in responding to data subject requests.
Assisting with notification and management of personal data incidents.
Documenting measures and processes to demonstrate GDPR compliance.
Cooperating with the controller and, where relevant, the Data Protection Agency.

Get in touch

If you have questions about data processing agreements or need support managing personal data, contact us. We will discuss your needs and provide guidance aligned to your operations.

Whether you are drafting new agreements, reviewing existing ones or seeking advice on a specific matter, we act as a sounding board and provide practical, business-focused guidance.

Business professionals standing by a flowchart, explaining the role of a Data processor in handling personal data and GDPR compliance.

A controller determines why and how personal data are processed, while a data processor only processes the data according to the controller’s instructions.

Example: A company engages an external agency to send customer emails. The agency receives customer lists and uses them in line with the company’s instructions. The agency is the data processor; the company that set the purpose is the controller.

A data processing agreement is required when an external party processes personal data on behalf of a controller. This is a legal requirement under GDPR and applies, for example, when:

A company uses a cloud service provider that processes personal data.
Marketing, customer service or HR functions involving personal data are outsourced to a third party.
A third-party supplier accesses personal data as part of its assignment.

The agreement ensures the processing is secure and lawful.

Without a well-structured contract, there is a greater risk of non-compliant processing and personal data incidents. Ambiguity over responsibilities can undermine control, and the Data Protection Agency may intervene with sanctions and significant fines. Trust can also be damaged among customers, partners and the public.

It depends on who decides the purposes and means of the processing:

If you decide why and how personal data are processed → you are the controller.
If you process data under another party’s instructions → you are the data processor.

Morling Consulting can clarify roles for your operations and each collaboration involving personal data. For those asking “what is a data processor”, we map your activities to the correct role.

We provide advice and practical support to help you comply with GDPR. This includes:

Legal assessment of your role in collaborations involving personal data.
Preparation and review of data processing agreements.
Support on compliance queries and communications with controllers or processors.
Advice on security measures and documentation.

No, but strict conditions apply when the processor is outside the EU/EEA. International transfers must meet GDPR requirements, for example by using standard contractual clauses (SCC). Morling Consulting helps you manage international transfers.

Under GDPR, a compliant agreement should, for example, cover:

Types of personal data and categories of data subjects.
The processor’s obligations and the controller’s instructions.
Required security measures.
Rules on sub-processors, incident reporting and data return or deletion.

Morling Consulting drafts and reviews agreements so that nothing material is overlooked. For organisations asking “what is a data processor” or seeking a concise data processor definition, we ensure the contract terms reflect your operating reality.

Yes — but not for the same processing. An organisation may be a controller in one context and a processor in another. Each processing activity must be analysed and roles clearly defined. Morling Consulting helps draw these boundaries so you act correctly in every part of your business.

Examples include:

Determining each party’s role in collaborations involving personal data.
Reviewing a supplier’s data processing agreement before signature.
Guidance on procedures for cooperation between joint controllers.

Our advisory is built around your structure, needs and challenges across Europe.

Contact

Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields