Am I a ‘data controller’ or a ‘data processor’? And why is it important anyway?

Am I a ‘data controller’ or a ‘data processor’? And why is it important anyway?

The distinction is important with respect to how you should act in the era of the GDPR. Understand the difference between data controller and processor in 5 minutes to ensure your website complies with the GDPR.

Quick overview

Data controller: Simply put, the data controller controls the procedures and purposes of data usage. The data controller decides how and why data are going to be used by a company/organization. This is typically the owner or manager of the company website.

Data Processor: Processes any data that the controller provides. In short, the data processor processes data on behalf of the controller and does not own or control the data they process. This is usually a third-party external to the company e.g. Google, Facebook, Addthis.

There are a lot of measurements needed to be taken when your website uses third-party services to analyze website traffic (e.g. Google Analytics, Hotjar), give you cool social media buttons (e.g. Facebook, Twitter, LinkedIn), or if you have YouTube/Vimeo videos on your site (e.g. Google, Doubleclick). These third-party services all set marketing cookies which collect and process personal information.

But different rules apply for those who control and those who process the data. Often it is unclear who is the data controller and who is the data processor.

Here we explain the difference, so you know which measures to take with respect to the General Data Protection Regulation (GDPR).

Who controls and who processes your visitors’ data?

You have a website, or a web shop, and you would like to analyze your website’s traffic and how your visitors get onto your site. You could use a data analytics provider like Google Analytics for the purpose and with the insights you can develop strategies to boost your sales.

However, when collecting and processing there are certain measures you need to take in order to comply with EU regulations like the General Data Protection Regulation (GDPR).

First, let’s take a look at who is who and what you need to do as a website owner.

The data controller

Control of data, rather than possession, is the key factor here.

The data controller is the person, company or organization that determines the purposes for which and the means by which personal data is processed.

If you or your company decides the ‘why’ and the ‘how’ personal data are processed, you are the data controller. Employees processing personal data within your organization do so to fulfil your tasks as data controller.

The data processor

The data processor processes personal data only on behalf of the controller. The data processor is usually a third-party external to the company. This includes storage of data on third-party servers or a data analytics provider.

Example – collect and process data with Google Analytics

Let’s get back to our example with Google Analytics. To start analyzing your website traffic, you install Google’s tracking code. Your website starts collecting (through Google Analytics’ cookies) data and Google starts processing the data on behalf of the data controller – you.

You control data, Google processes the data (on your behalf). Therefore, you are the data controller and Google the data processor. However, if you provide the data to Google Analytics and they come up with the purposes and means of processing, then you are both data controllers, but Google Analytics is also (still) the processor.

Why is this important to me?

If you want to become – or stay – GDPR compliant on your website, there are certain measures you need to take. This list is not exhaustive (to the GDPR) but concerns your website’s use of cookies. As a data controller you are responsible for:

1) Collection, managing and access to data

The European Commission’s guidance holds the data controller to be the principal party responsible for collecting, managing, and providing access to data. For example, if a user (the data subject) requests his or her data, the controller (you) would have to access it from your servers or from the processor you have contracted to handle the data. Only data controllers collect personal data from data subjects. Because of this, data controllers are also responsible for determining their legal authority to obtain that data. Data controllers must also ensure this process to be as transparent as possible by creating and posting a Privacy Policy that outlines:

  • Which data are collected through cookies.
  • For which specific purpose data are processed.
  • Who processes the data (whom data are shared with).
  • For how long data are stored by first and third-parties.
  • For how long data are stored by first and third-parties.

Any time a data processor becomes involved in collecting data, they also become a data controller and all of the abovementioned responsibilities apply to them as well.

2) Keeping records of consents

Under the GDPR, data controllers are required to keep records of the consents given to process website users’ personal information. This also means, that if you are the data controller, you are responsible when the Data Protection Authorities ask for your website users’ cookie consents.

3) Appointing a Data Protection Officer

Both controllers and processors must appoint a Data Protection Officer (DPO) when they work with website visitors’ personal data.

Although controllers and processor have different obligations under the GDPR, their roles are also complementary in reaching the goals of transparency and accountability.

Working together promotes compliance and helps both parties avoid the new, heavy economical penalties which come with violating GDPR rules.

What can cookie information do for you?

With Cookie Information’s Consent Solution, you can become complete ePrivacy and GDPR compliant on your website with a few simple steps.

Try Cookie Information’s Consent Solution and get a GDPR valid cookie consent pop-up banner complete with updated cookie policy (based on in-depth scans of your website’s subpages), privacy controls so visitors can opt-out (reject) cookies and we also provide SDK implementation for preventing cookies from being set prior to obtaining user consent (which is vital under the GDPR).

Are you ready to become compliant on your website? Try our Consent Solution today. Free trial, no credit card neeeded.


Article 4(7) and (8), Articles 24, 26, 28 and 29 and Recitals (74), (79) and (81) of the GDPR

Article 29 Working Party Opinion 1/2010 on the concepts of ‘controller’ and ‘processor’ (WP 169)


EU – what is a data controller and a data processor