Artifact GuideEU GDPR

GDPR Role Classification Controllers, Processors, and Joint Controllers

Classify GDPR roles from the real processing facts: who decides why data is processed, who decides essential means, who follows documented instructions, and who jointly determines purposes and means.

Use this guide for vendor onboarding, product partnerships, shared platforms, group services, processor terms, and joint-controller transparency notices.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

GDPR role labels are not procurement labels. A party is a controller when it determines the purposes and essential means of a processing operation, a processor when it processes personal data for a controller and on documented instructions, and a joint controller when two or more parties jointly determine purposes and means for the same processing. The review has to be done per processing activity, because the same vendor, affiliate, or partner can hold different roles for different services.

Section 1

Classify the role from decision power, not from the contract title

Start with the specific personal-data processing operation and its exact purpose. The EDPB guidance says controller, joint controller, and processor concepts are functional and determine who is responsible for GDPR compliance and how data subjects exercise their rights.

The controller decides the purpose of the processing and the essential means. Essential means include decisions closely linked to purpose and scope, such as which data is processed, how long it is kept, who receives it, and which categories of data subjects are involved. Practical implementation choices, such as software configuration or detailed security controls, can be left to a processor when they stay within the controller's instructions.

  • Write the processing activity before naming the role: data source, purpose, data subjects, data categories, recipients, retention, systems, and decision makers.
  • Treat a party as controller for the activity where it decides the purpose or essential means, even if it does not directly access the personal data.
  • Do not treat an internal department, named employee, vendor owner, or contract manager as the controller when the legal entity decides the processing.
  • Record any split role: one party can be a processor for hosting, a separate controller for its own analytics, or a joint controller for a shared campaign or platform workflow.
Sources for this answer
EDPB Guidelines 07/2020 on controller and processor concepts
Supports classifying roles from functional control over purposes and means, including the essential versus non-essential means distinction.
Regulation (EU) 2016/679 (GDPR)
Article 4(7) defines a controller as the actor that alone or jointly determines purposes and means.
Section 2

Processor status requires instructions, boundaries, and Article 28 terms

A processor is not just an outsourced vendor. Processor status depends on processing personal data for another party's purposes and in accordance with that party's documented instructions. The Article 28 contract or other binding legal act should make those instructions operational, not merely recite that the vendor is compliant.

For procurement and vendor-management review, check both the written terms and the service reality. If the supplier decides its own purpose or essential means for the data, the role analysis may move from processor to controller for that processing. If the processor engages sub-processors, Article 28 requires prior specific or general written authorization and flow-down obligations.

  • Article 28 terms should state subject matter, duration, nature and purpose, personal-data types, data-subject categories, controller rights, and processor obligations.
  • Instructions should cover permitted processing, international transfers, confidentiality, security, assistance with data-subject rights, assistance with Articles 32 to 36 duties, deletion or return, audit support, and illegal-instruction escalation.
  • Vendor evidence should include the executed data processing agreement, instruction log or order form, sub-processor list and authorization model, security measures, audit or assurance materials, deletion or return commitments, and breach-notification path to the controller.
  • For sub-processors, verify that equivalent data-protection obligations are imposed and that the initial processor remains liable to the controller for the sub-processor's performance.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 28 sets the processor-contract requirements, documented-instruction rule, sub-processor authorization, and liability for sub-processors.
Commission Implementing Decision (EU) 2021/915
Provides EU standard contractual clauses for controller-processor relationships under Article 28(7).
EDPB Guidelines 07/2020 on controller and processor concepts
Explains that controller-processor agreements must reflect the actual relationship and contain specific, concrete processing information.
Section 3

Joint controllers need an Article 26 allocation and data-subject transparency

Joint controllership can arise from a common decision or from converging decisions that are necessary for the processing and have a tangible impact on purposes and means. It is not enough that two parties benefit from the same project, exchange data, or use the same tool; the joint role depends on joint determination for the processing at stake.

When two or more parties are joint controllers, Article 26 requires them to determine their respective GDPR responsibilities transparently by arrangement. The arrangement should allocate who handles data-subject rights, Articles 13 and 14 information duties, security, breach notifications, DPIAs where relevant, use of processors, transfers, and authority or data-subject contacts. The essence of the arrangement must be available to data subjects.

  • Identify whether the parties made a common decision or converging decisions about both purpose and means for the same processing.
  • Allocate responsibilities in clear language: notice owner, rights-request intake, response coordination, security lead, breach-notification lead, processor manager, transfer owner, and contact point.
  • Publish or provide the essence of the arrangement so data subjects can understand which controller is responsible for what and how to exercise rights.
  • Do not use the arrangement to block rights. Data subjects may exercise GDPR rights against each joint controller regardless of internal allocation.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 26 defines joint controllers and requires transparent allocation of responsibilities and availability of the arrangement's essence.
EDPB Guidelines 07/2020 on controller and processor concepts
Explains common and converging decisions, recommends a binding joint-controller arrangement, and lists responsibilities to allocate.
Section 4

Evidence to keep for vendors, partnerships, and shared processing

The evidence file should let a reviewer reconstruct the role decision without interviewing the original deal team. Keep the role analysis beside procurement, product, privacy, and security records because the role can change when a supplier adds analytics, a partner reuses data, a group service centralizes decisions, or a shared platform changes who controls recipients or retention.

Evidence should distinguish role classification from implementation proof. The role memo shows why a party is controller, processor, or joint controller for a named processing activity. The implementation evidence shows that the corresponding Article 26 or Article 28 obligations are in place.

  • Role analysis: processing activity, factual purpose, essential means, non-essential means left to the processor, decision makers, and rejected role alternatives.
  • Processor file: Article 28 contract or clauses, documented instructions, sub-processor authorization, audit rights, security evidence, assistance commitments, breach escalation, and deletion or return process.
  • Joint-controller file: arrangement, allocation table, data-subject contact point if designated, privacy-notice language or other method for making the essence available, and coordination steps for rights and breaches.
  • Change triggers: new data use, changed retention, new recipient, new sub-processor, new analytics purpose, data transfer change, integration with another service, or contract terms that no longer match actual control.
Sources for this answer
EDPB Guidelines 07/2020 on controller and processor concepts
Supports documenting the factual analysis, allocation of joint-controller obligations, and processor relationship evidence.
Regulation (EU) 2016/679 (GDPR)
Articles 26 and 28 provide the required arrangement and processor-contract elements that the evidence file should prove.
Commission Implementing Decision (EU) 2021/915
Supports using EU Article 28 standard clauses as a controller-processor contract baseline.
Section 5

Common role mistakes to catch before approval

Most role errors come from treating labels as decisive or from reviewing only one side of the relationship. A supplier called a processor may still become a controller for a processing activity if it determines purposes and means. Two parties called independent controllers may be joint controllers for a particular shared workflow if their decisions are inseparable for that processing.

Use the mistakes below as approval blockers for vendor onboarding, product launches, partnerships, and group-service changes. They are designed to catch role drift before the privacy notice, contract, ROPA entry, and operational workflow diverge from reality.

Can a GDPR processor decide any technical details?

Yes. The EDPB distinguishes essential means, which are reserved to the controller, from non-essential implementation details such as specific hardware, software, or detailed security measures that may be left to the processor within the controller's instructions.

Does an Article 26 arrangement stop data subjects contacting every joint controller?

No. Article 26 allows joint controllers to allocate responsibilities and designate a contact point, but data subjects may still exercise their GDPR rights against each joint controller.

  • The contract says processor, but the supplier can reuse the data for its own product improvement, advertising, benchmarking, or unrelated analytics without a separate controller analysis.
  • The team treats joint controllership as equal responsibility for everything, even though Article 26 requires a clear allocation and the EDPB notes that joint responsibility does not always mean equal responsibility.
  • The processor agreement omits concrete instructions, sub-processor authorization, audit support, deletion or return, or assistance with data-subject rights and security obligations.
  • The public privacy notice does not expose the essence of a joint-controller arrangement, or it points data subjects to only one party while implying they cannot contact the other joint controller.
  • A role decision is reused across all services from the same vendor instead of being tested separately for hosting, support, analytics, AI features, fraud prevention, marketing, and account administration.
Sources for this answer
EDPB Guidelines 07/2020 on controller and processor concepts
Supports the practical role-mistake checks, including non-essential means, factual role analysis, and joint-controller allocation.
Regulation (EU) 2016/679 (GDPR)
Article 28 states that a processor determining purposes and means is treated as controller for that processing.
Recommended next step

Use this guide to test vendor and partnership roles

Sorena can help map a service, vendor, or shared workflow into controller, processor, or joint-controller roles, then generate the Article 26 or Article 28 evidence requests that match the role.

Research workflow
Open Research Copilot for EU GDPR

Ask source-linked questions about controller, processor, and joint-controller role classification using the cited GDPR and EDPB sources.

Explore next step
Talk to Sorena
Talk through GDPR vendor roles

Review a processor agreement, joint-controller arrangement, or role-mistake risk with Sorena.

Explore next step
Primary sources

References and citations

Regulation (EU) 2016/679 (GDPR)
eur-lex.europa.eu
Referenced sections
  • Article 28 states that a processor determining purposes and means is treated as controller for that processing.
"the processor shall be considered to be a controller"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.