What is a data controller under the GDPR?

Why is it important whether you're a data controller or data processor in the era of the GDPR? Let's look at the differences and responsibilities regarding your company website.
Table of Contents

Are you a data controller or data processor? Let’s find out!

And if you are unsure if your website is GDPR compliant, get a free compliance check here.

Who controls and who processes your visitors' data?

You have a website, or a web shop, and you would like to analyze your website’s traffic and how your visitors get onto your site. You could use a data analytics provider like Google Analytics for the purpose and with the insights you can develop strategies to boost your sales.

However, when collecting and processing data there are certain measures you need to take in order to comply with EU regulations like the General Data Protection Regulation (GDPR).

First, let’s take a look at who is who and what you need to do as a website owner.


Simply put, the data controller controls the procedures and purposes of data usage. 

The data controller decides how and why data is going to be used by a company/organization. 

This is typically the owner or manager of the company website.


Processes any data that the controller provides. In short, the data processor processes data on behalf of the controller and does not own or control the data they process. 

This is usually a third-party external to the company e.g. Google, Facebook, Addthis, Hotjar, LinkedIn etc. 

Article 29 Working Party on Data Controller and Data Processor

Example: Collect and process data with Google Analytics

Let’s get back to our example with Google Analytics.

To start analyzing your website traffic, you install Google’s tracking code.

Your website starts collecting (through Google Analytics’ cookies) data and Google starts processing the data on behalf of the data controller – you.

You control dataGoogle processes the data (on your behalf).

Therefore, you are the data controller and Google the data processor.

However, if you provide the data to Google Analytics and they come up with the purposes and means of processing, then you are both data controllers, but Google Analytics is also (still) the processor.

Do you want to respect users’ privacy choices and still get valuable marketing insights? Try Google Consent Mode with Cookie Information!

Why is this important to me and my website?

If you want to become – or stay – GDPR compliant on your website, there are certain measures you need to take.

This list is not exhaustive (to the GDPR) but concerns your website’s use of cookies. As a data controller you are responsible for:

1) Collecting, managing and access to data

The European Commission’s guidance holds the data controller to be the principal party responsible for collecting, managing, and providing access to data. 

For example, if a user (the data subject) requests his or her data, the controller (you) would have to access it from your servers or from the processor you have contracted to handle the data. 

Only data controllers collect personal data from data subjects. Because of this, data controllers are also responsible for determining their legal authority to obtain that data. 

Data controllers must also ensure this process to be as transparent as possible by creating and posting a Privacy Policy that outlines:

Any time a data processor becomes involved in collecting data, they also become a data controller and all of the above-mentioned responsibilities apply to them as well.

2) Keeping records of consents

Under the GDPR, data controllers are required to keep records of the consents given to process website users’ personal information. 

This also means, that if you are the data controller, you are responsible when the Data Protection Authorities ask for your website users’ cookie consents.

3) Appointing a Data Protection Officer

Both controllers and processors must appoint a Data Protection Officer (DPO) when they work with website visitors’ personal data.

Although controllers and processor have different obligations under the GDPR, their roles are also complementary in reaching the goals of transparency and accountability.

Working together promotes compliance and helps both parties avoid the new, heavy economical penalties which come with violating GDPR rules.

That sounds like a lot, who can help my website?

Cookie Information can. 

With Cookie Information’s Consent Solution, you can become complete ePrivacy and GDPR compliant on your website with a few simple steps.

Try Cookie Information’s Consent Solution and get a GDPR valid cookie consent banner

It’s complete with updated cookie policy (based on in-depth scans of your website’s subpages), privacy controls so visitors can opt-out (reject) cookies and we also provide SDK implementation for preventing cookies from being set prior to obtaining user consent (which is vital under the GDPR).

Are you ready to become compliant on your website? Try our Consent Solution today. Free trial, no credit card needed.

The best Consent Management Platform for businesses and brands

250,000 websites already trust us with their GDPR compliance