Controller, Processor, and Data Subject
The controller determines the purposes and means of processing; the processor processes on the controller's behalf under contract. The data subject is the person whose data is processed, and the controller generally bears more legal responsibility.
A Controller determines the purposes and means of processing - the company directing processing to further its objectives. A Processor processes on behalf of the controller, governed by the controller's instructions in a contract. Requirements flow downstream to a Subprocessor. Generally the controller bears more legal responsibility than the processor.
A Data subject is the natural person whose data is processed. GDPR rights apply when EU-based establishments process data of subjects outside the EU, and when non-EU establishments monitor behavior of, or target goods or services to, data subjects in the EU.
| Controller obligations | Processor obligations |
|---|---|
| Implement data protection by default and by design | Comply with the controller's instructions |
| Provide instructions to processors | Maintain confidentiality |
| Identify a legal basis; maintain processing records | Keep a record of processing activities |
| Report data breaches; cooperate with DPAs | Report breaches to controller; cooperate with DPAs |
| Appoint a DPO; conduct DPIAs | Ensure data security |