Data Controllers vs Processors
Data protection law gives different responsibilities to controllers and processors. Knowing which role you play, and which role your suppliers play, determines who is accountable for what.
This is general guidance to help you classify the relationships in your own business.
The Difference in Plain Terms
- Controller: decides why and how data is processed.
- Processor: acts on the controller's instructions.
- Joint controllers: two parties decide together.
Why It Matters
Controllers carry the primary legal duties — lawful basis, transparency, responding to rights requests. Processors have narrower but real obligations, mainly around security and following instructions.
A Worked Example
If you run a shop and use an email platform to send newsletters, you are the controller deciding to market to your list, and the platform is your processor. If that platform then used your customers' data for its own purposes, it would become a controller in its own right.
| Question | Controller | Processor |
|---|---|---|
| Decides the purpose? | Yes | No |
| Chooses the means? | Mostly | Limited |
| Handles rights requests? | Yes | Assists |
If you need a hand with any of this, your Progressive Robot delivery team is ready to help. Raise a ticket from the Support area of your client portal or speak to your account manager and we will guide you through the next steps.