Tips for Controllers and Processors

18 April 2023

UK GDPR defines two types of organization, controller and processor.

Controllers make decisions about what data will be processed such as the purposes for which it is processed, how long it will be kept, and who it will be shared with.

Processors only act on instructions from controllers.  They are outsourced service providers and have no interest in the processing except that they are paid for providing a service, like a payroll processing bureau or mailing house. 

A tip to help distinguish controllers and processors is that the contract includes a provision to delete or return personal data to the controller when it expires.  The processor has no grounds to retain copies of the data is has processed.

Why does it matter whether organisations are Controllers or Processors?

It matters whether an organisation is a controller or processor because the contract terms are different for data processing contracts.  GDPR requires data processing contracts be in writing and include mandatory content such as requiring the processor to delete or return personal data at the end of the contract and ensuring that the processor’s employees are bound by a confidentiality agreement.  For a full list of required content check out the Information Commissioner’s website at 

This blog is only an introduction to the issues around using data processors.  If you need any support with data protection compliance feel free to contact us for a quote.

Mandy Webster

April 2023