A controller decides the purposes and essential means of processing; a processor processes personal data on a controller's behalf; joint controllers jointly determine the purposes and means for the relevant processing.
Use this answer to document the role boundary, decide when Article 28 processor terms or an Article 26 joint-controller arrangement is needed, and keep records that explain the decision.
Structured answer sets in this page tree.
Cited legal and guidance references.
Under the EU GDPR, the role label follows the actual processing facts, not the commercial title in a contract. Decide the role for each processing activity: who determines the purpose, who decides the essential means, whether another party processes only on documented instructions, and whether two or more parties jointly determine the purposes and means.
Use this matrix to route a processing activity to controller accountability, processor Article 28 terms, or joint-controller Article 26 allocation.
A processor is separate from the controller and processes personal data on the controller's behalf under documented instructions.
A controller determines the purposes and essential means of processing, alone or jointly with others.
| Dimension | Processor | Controller | Operational implication |
|---|---|---|---|
| Scope boundary | Processes personal data for another party's purposes and does not decide its own purposes for that processing. | Decides why the processing happens and the essential means that shape how it happens. | Run the role test per processing activity; one organisation can be a controller for one activity and a processor for another. |
| Covered actors | Needs Article 28 terms in a binding contract or legal act covering instructions, security, subprocessors, assistance, deletion or return, and audits. | Needs controller accountability records; where two or more parties jointly determine purposes and means, Article 26 requires a transparent arrangement. | Use Article 28 for controller-to-processor delegation; use Article 26 when multiple controllers share purpose-and-means decisions. |
| Trigger | May choose non-essential technical or organisational means when those choices serve the controller's instructions and do not create a separate purpose. | Controls the purpose and essential means, including the reason for processing and core choices about the processing activity. | A supplier is not automatically a controller because it chooses hosting architecture, security tooling, or operational details, but it may become one if it decides its own purpose or essential means. |
| Core obligations | Keep Article 28 terms, instruction logs, subprocessor approvals, assistance evidence, security measures, deletion or return evidence, and processor Article 30 records by controller. | Keep purpose-and-means analysis, lawful-basis and transparency evidence, controller Article 30 records, processor due diligence, and Article 26 arrangements where joint control exists. | Tag records by the GDPR duty they prove; processor evidence and controller accountability evidence are related but not interchangeable. |
| Evidence record | Not the right label where the party jointly determines purposes and means rather than merely following another party's instructions. | Can be sole controller or joint controller; joint control can be limited to the processing stages where purposes and means are jointly determined. | Map the exact stages of processing so an Article 26 arrangement covers joint stages without mislabeling separate-controller or processor stages. |
| Timing and deadlines | Article 28 processor terms should be in place before the processor starts acting on behalf of the controller, because the processing must already be governed by a binding contract or legal act. | Article 26 arrangements should also be agreed up front for joint control so each party knows its responsibility before the processing begins. | Do the role assessment early enough to contract, document instructions, and publish the essence or records before live processing starts. |
| Enforcement | A processor can be held to Article 28 duties if it departs from documented instructions, including the duty to alert the controller to unlawful instructions and to support audits and compliance checks. | A controller remains accountable for the role decision and for its own controller duties, including how it allocates responsibilities when it acts jointly with others. | The legal consequences differ: processor breaches are judged against the Article 28 contract and instructions, while controller failures are judged against the controller's own accountability obligations. |
| Overlap and reuse | A processor can still have limited discretion over non-essential means, but that does not make it a controller if it stays within the controller's instructions. | A controller can reuse a vendor or affiliate in different roles across different processing activities and must assess each activity separately. | Do not reuse one role label across every service, system, or business unit; document the role for each processing activity. |
| Practical decision rule | If the party acts only on documented instructions and for another party's purposes, treat it as a processor for that activity. | If the party decides the purpose or essential means, treat it as a controller for that activity, alone or with others. | Run the role test per processing activity; one organisation can be a controller for one activity and a processor for another. |
Processes personal data for another party's purposes and does not decide its own purposes for that processing.
Decides why the processing happens and the essential means that shape how it happens.
Run the role test per processing activity; one organisation can be a controller for one activity and a processor for another.
Needs Article 28 terms in a binding contract or legal act covering instructions, security, subprocessors, assistance, deletion or return, and audits.
Needs controller accountability records; where two or more parties jointly determine purposes and means, Article 26 requires a transparent arrangement.
Use Article 28 for controller-to-processor delegation; use Article 26 when multiple controllers share purpose-and-means decisions.
May choose non-essential technical or organisational means when those choices serve the controller's instructions and do not create a separate purpose.
Controls the purpose and essential means, including the reason for processing and core choices about the processing activity.
A supplier is not automatically a controller because it chooses hosting architecture, security tooling, or operational details, but it may become one if it decides its own purpose or essential means.
Keep Article 28 terms, instruction logs, subprocessor approvals, assistance evidence, security measures, deletion or return evidence, and processor Article 30 records by controller.
Keep purpose-and-means analysis, lawful-basis and transparency evidence, controller Article 30 records, processor due diligence, and Article 26 arrangements where joint control exists.
Tag records by the GDPR duty they prove; processor evidence and controller accountability evidence are related but not interchangeable.
Not the right label where the party jointly determines purposes and means rather than merely following another party's instructions.
Can be sole controller or joint controller; joint control can be limited to the processing stages where purposes and means are jointly determined.
Map the exact stages of processing so an Article 26 arrangement covers joint stages without mislabeling separate-controller or processor stages.
Article 28 processor terms should be in place before the processor starts acting on behalf of the controller, because the processing must already be governed by a binding contract or legal act.
Article 26 arrangements should also be agreed up front for joint control so each party knows its responsibility before the processing begins.
Do the role assessment early enough to contract, document instructions, and publish the essence or records before live processing starts.
A processor can be held to Article 28 duties if it departs from documented instructions, including the duty to alert the controller to unlawful instructions and to support audits and compliance checks.
A controller remains accountable for the role decision and for its own controller duties, including how it allocates responsibilities when it acts jointly with others.
The legal consequences differ: processor breaches are judged against the Article 28 contract and instructions, while controller failures are judged against the controller's own accountability obligations.
A processor can still have limited discretion over non-essential means, but that does not make it a controller if it stays within the controller's instructions.
A controller can reuse a vendor or affiliate in different roles across different processing activities and must assess each activity separately.
Do not reuse one role label across every service, system, or business unit; document the role for each processing activity.
If the party acts only on documented instructions and for another party's purposes, treat it as a processor for that activity.
If the party decides the purpose or essential means, treat it as a controller for that activity, alone or with others.
Run the role test per processing activity; one organisation can be a controller for one activity and a processor for another.
A controller is the party that determines why personal data is processed and the essential means of that processing. A processor is a separate party that processes personal data on behalf of the controller and must not use the data for its own purposes outside the controller's instructions.
The EDPB treats the concepts as functional: the analysis should follow the actual role each party plays in the specific processing operation. Contract wording helps, but it is not enough if the operational facts show that a party decides purposes or essential means.
Article 4 defines controller by determination of purposes and means, and processor by processing personal data on behalf of the controller.
The captured EDPB 07/2020 guidance explains that role labels are functional and must be assessed against the actual processing activity.
Article 28 applies when processing is carried out on behalf of a controller. The controller must use only processors that provide sufficient guarantees for appropriate technical and organisational measures, and the processing must be governed by a binding contract or other legal act.
The Article 28 record should not be a generic data-processing addendum only. It should identify the subject matter, duration, nature, purpose, personal-data types, data-subject categories, obligations and rights of the controller, and the concrete processor duties that make the instructions operational.
Article 28 sets processor-selection requirements and mandatory processor-contract terms, including instructions, subprocessors, assistance, deletion or return, and audits.
The captured EDPB 07/2020 guidance says processing agreements should include concrete information on how GDPR requirements and security levels will be met.
Joint controllership exists where two or more parties jointly determine the purposes and means of the same processing. The EDPB explains that joint participation may come from a common decision or from converging decisions that complement each other and are necessary for the processing in a way that has a tangible impact on purposes and means.
Article 26 requires joint controllers to transparently determine their respective GDPR responsibilities by arrangement, especially for data-subject rights and Articles 13 and 14 information duties. The essence of that arrangement must be made available to data subjects, and data subjects may exercise their rights against each joint controller.
Article 26 defines joint-controller arrangements, responsibilities, data-subject access to the arrangement essence, and rights against each joint controller.
The captured EDPB 07/2020 guidance explains common and converging decisions, practical allocation of joint-controller duties, and recommended documentation.
Keep evidence at processing-activity level. A useful role file shows the purpose, essential means, party responsibilities, instructions, contract or arrangement, relevant records of processing, and the trigger for reassessing the label.
Article 30 records support this work because controllers must record processing activities under their responsibility, while processors must record categories of processing carried out on behalf of each controller. RoPA entries should therefore preserve the controller, processor, joint-controller, and subprocessor distinctions instead of collapsing every party into a vendor list.
Article 30 distinguishes controller records from processor records carried out on behalf of controllers.
The DPC guidance explains controller and processor RoPA content, standalone record quality, and the need to make records available to the supervisory authority on request.
Sorena can help turn this GDPR role analysis into cited role records, Article 28 checks, Article 26 responsibility maps, and RoPA evidence requests.
Ask source-linked questions about GDPR controller, processor, joint-controller, Article 28, Article 26, and Article 30 evidence issues.
Review your GDPR role boundary, processor terms, joint-controller allocation, and evidence gaps with Sorena.
"documented instructions"
"specific personal data processing"
"complete, self-contained"
"records of processing activities"
"responsibilities"
"contract or other legal act"
"on behalf of a controller"
"purposes and means"
"under its responsibility"
"categories of processing"