---
title: "GDPR processor vs controller: role boundaries and evidence"
canonical_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller"
source_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller"
author: "Sorena AI"
description: "Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "EU GDPR"
  - "GDPR controller"
  - "GDPR processor"
  - "joint controller"
  - "Article 28"
  - "Article 26"
  - "Article 30"
  - "RoPA"
  - "GDPR"
  - "controller"
  - "processor"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# GDPR processor vs controller: role boundaries and evidence

Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.

*FAQ* *EU GDPR*

## GDPR processor vs controller

A controller decides the purposes and essential means of processing; a processor processes personal data on a controller's behalf; joint controllers jointly determine the purposes and means for the relevant processing.

Use this answer to document the role boundary, decide when Article 28 processor terms or an Article 26 joint-controller arrangement is needed, and keep records that explain the decision.

Under the EU GDPR, the role label follows the actual processing facts, not the commercial title in a contract. Decide the role for each processing activity: who determines the purpose, who decides the essential means, whether another party processes only on documented instructions, and whether two or more parties jointly determine the purposes and means.

## GDPR processor vs controller: practical role differences

Use this matrix to route a processing activity to controller accountability, processor Article 28 terms, or joint-controller Article 26 allocation.

- **Processor**: A processor is separate from the controller and processes personal data on the controller's behalf under documented instructions.
- **Controller**: A controller determines the purposes and essential means of processing, alone or jointly with others.

| Dimension | Processor | Controller | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope boundary | Processes personal data for another party's purposes and does not decide its own purposes for that processing. | Decides why the processing happens and the essential means that shape how it happens. | Run the role test per processing activity; one organisation can be a controller for one activity and a processor for another. | [Regulation (EU) 2016/679 (GDPR), Article 4](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 4 defines controller by determination of purposes and means.<br>[EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance treats role concepts as functional and activity-specific. |
| Covered actors | Needs Article 28 terms in a binding contract or legal act covering instructions, security, subprocessors, assistance, deletion or return, and audits. | Needs controller accountability records; where two or more parties jointly determine purposes and means, Article 26 requires a transparent arrangement. | Use Article 28 for controller-to-processor delegation; use Article 26 when multiple controllers share purpose-and-means decisions. | [Regulation (EU) 2016/679 (GDPR), Article 28](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 28 lists the mandatory processor contract or legal-act terms.<br>[Regulation (EU) 2016/679 (GDPR), Article 26](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 26 requires joint controllers to determine their respective GDPR responsibilities by arrangement.<br>[EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance distinguishes controller-processor agreements from joint-controller arrangements. |
| Trigger | May choose non-essential technical or organisational means when those choices serve the controller's instructions and do not create a separate purpose. | Controls the purpose and essential means, including the reason for processing and core choices about the processing activity. | A supplier is not automatically a controller because it chooses hosting architecture, security tooling, or operational details, but it may become one if it decides its own purpose or essential means. | [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance says a processor that goes beyond instructions and determines its own purposes and means is considered a controller for that processing. |
| Core obligations | Keep Article 28 terms, instruction logs, subprocessor approvals, assistance evidence, security measures, deletion or return evidence, and processor Article 30 records by controller. | Keep purpose-and-means analysis, lawful-basis and transparency evidence, controller Article 30 records, processor due diligence, and Article 26 arrangements where joint control exists. | Tag records by the GDPR duty they prove; processor evidence and controller accountability evidence are related but not interchangeable. | [Regulation (EU) 2016/679 (GDPR), Articles 28 and 30](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 28 and 30 support processor contract evidence and processor records of categories of processing carried out on behalf of each controller.<br>[Regulation (EU) 2016/679 (GDPR), Articles 26 and 30](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 26 and 30 support joint-controller arrangements and controller records of processing activities under controller responsibility.<br>[Irish Data Protection Commission guidance on RoPA under Article 30](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - The DPC guidance explains that RoPA records should be complete, self-contained, and useful for demonstrating accountability. |
| Evidence record | Not the right label where the party jointly determines purposes and means rather than merely following another party's instructions. | Can be sole controller or joint controller; joint control can be limited to the processing stages where purposes and means are jointly determined. | Map the exact stages of processing so an Article 26 arrangement covers joint stages without mislabeling separate-controller or processor stages. | [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance explains joint control for whole processing or specific stages.<br>[Regulation (EU) 2016/679 (GDPR), Article 26](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 26 requires the arrangement to reflect the respective roles and relationships of joint controllers. |
| Timing and deadlines | Article 28 processor terms should be in place before the processor starts acting on behalf of the controller, because the processing must already be governed by a binding contract or legal act. | Article 26 arrangements should also be agreed up front for joint control so each party knows its responsibility before the processing begins. | Do the role assessment early enough to contract, document instructions, and publish the essence or records before live processing starts. | [Commission Implementing Decision (EU) 2021/915](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32021D0915&ref=sorena.io) - The standard contractual clauses contemplate a binding controller-processor contract and processing on behalf of the controller.<br>[Regulation (EU) 2016/679 (GDPR), Article 26](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 26 requires joint controllers to determine their respective responsibilities by arrangement and make the essence available to data subjects.<br>[EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance treats role concepts as functional and activity-specific. |
| Enforcement | A processor can be held to Article 28 duties if it departs from documented instructions, including the duty to alert the controller to unlawful instructions and to support audits and compliance checks. | A controller remains accountable for the role decision and for its own controller duties, including how it allocates responsibilities when it acts jointly with others. | The legal consequences differ: processor breaches are judged against the Article 28 contract and instructions, while controller failures are judged against the controller's own accountability obligations. | [Commission Implementing Decision (EU) 2021/915](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32021D0915&ref=sorena.io) - The clauses require the processor to process only on documented instructions and to inform the controller if an instruction infringes data protection law.<br>[Regulation (EU) 2016/679 (GDPR), Article 26](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 26 requires joint controllers to determine their respective responsibilities in a transparent manner.<br>[EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance distinguishes controller accountability from processor obedience to instructions. |
| Overlap and reuse | A processor can still have limited discretion over non-essential means, but that does not make it a controller if it stays within the controller's instructions. | A controller can reuse a vendor or affiliate in different roles across different processing activities and must assess each activity separately. | Do not reuse one role label across every service, system, or business unit; document the role for each processing activity. | [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance treats role concepts as functional and activity-specific.<br>[Regulation (EU) 2016/679 (GDPR), Article 4](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 4 makes the role turn on the specific purposes and means of the processing. |
| Practical decision rule | If the party acts only on documented instructions and for another party's purposes, treat it as a processor for that activity. | If the party decides the purpose or essential means, treat it as a controller for that activity, alone or with others. | Run the role test per processing activity; one organisation can be a controller for one activity and a processor for another. | [Regulation (EU) 2016/679 (GDPR), Article 4](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 4 defines controller by determination of purposes and means.<br>[EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance treats role concepts as functional and activity-specific. |

Sources for Scope boundary - Processor:

- [Regulation (EU) 2016/679 (GDPR), Article 4](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 4 defines processor as processing personal data on behalf of the controller.
  - Quote: "on behalf"

Sources for Scope boundary - Controller:

- [Regulation (EU) 2016/679 (GDPR), Article 4](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 4 defines controller by determination of purposes and means.
  - Quote: "purposes and means"

Sources for Scope boundary - operational implication:

- [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance treats role concepts as functional and activity-specific.
  - Quote: "actual roles"

Sources for Covered actors - Processor:

- [Regulation (EU) 2016/679 (GDPR), Article 28](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 28 lists the mandatory processor contract or legal-act terms.
  - Quote: "contract or other legal act"

Sources for Covered actors - Controller:

- [Regulation (EU) 2016/679 (GDPR), Article 26](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 26 requires joint controllers to determine their respective GDPR responsibilities by arrangement.
  - Quote: "arrangement between them"

Sources for Covered actors - operational implication:

- [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance distinguishes controller-processor agreements from joint-controller arrangements.
  - Quote: "processing agreement"

Sources for Trigger - Processor:

- [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance allows processors some discretion over non-essential means.
  - Quote: "non-essential means"

Sources for Trigger - Controller:

- [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance explains controller decisions as the why and how of processing.
  - Quote: "why and how"

Sources for Trigger - operational implication:

- [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance says a processor that goes beyond instructions and determines its own purposes and means is considered a controller for that processing.
  - Quote: "own purposes and means"

Sources for Core obligations - Processor:

- [Regulation (EU) 2016/679 (GDPR), Articles 28 and 30](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 28 and 30 support processor contract evidence and processor records of categories of processing carried out on behalf of each controller.
  - Quote: "categories of processing"

Sources for Core obligations - Controller:

- [Regulation (EU) 2016/679 (GDPR), Articles 26 and 30](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 26 and 30 support joint-controller arrangements and controller records of processing activities under controller responsibility.
  - Quote: "under its responsibility"

Sources for Core obligations - operational implication:

- [Irish Data Protection Commission guidance on RoPA under Article 30](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - The DPC guidance explains that RoPA records should be complete, self-contained, and useful for demonstrating accountability.
  - Quote: "complete, self-contained"

Sources for Evidence record - Processor:

- [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance separates processor outcomes from joint-controller outcomes in the role analysis.
  - Quote: "You are a processor"

Sources for Evidence record - Controller:

- [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance explains joint control for whole processing or specific stages.
  - Quote: "specific stages"

Sources for Evidence record - operational implication:

- [Regulation (EU) 2016/679 (GDPR), Article 26](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 26 requires the arrangement to reflect the respective roles and relationships of joint controllers.
  - Quote: "respective roles"

Sources for Timing and deadlines - Processor:

- [Commission Implementing Decision (EU) 2021/915](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32021D0915&ref=sorena.io) - The standard contractual clauses contemplate a binding controller-processor contract and processing on behalf of the controller.
  - Quote: "binding on the processor"

Sources for Timing and deadlines - Controller:

- [Regulation (EU) 2016/679 (GDPR), Article 26](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 26 requires joint controllers to determine their respective responsibilities by arrangement and make the essence available to data subjects.
  - Quote: "arrangement between them"

Sources for Timing and deadlines - operational implication:

- [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance treats role concepts as functional and activity-specific.
  - Quote: "functional concepts"

Sources for Enforcement - Processor:

- [Commission Implementing Decision (EU) 2021/915](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32021D0915&ref=sorena.io) - The clauses require the processor to process only on documented instructions and to inform the controller if an instruction infringes data protection law.
  - Quote: "documented instructions"

Sources for Enforcement - Controller:

- [Regulation (EU) 2016/679 (GDPR), Article 26](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 26 requires joint controllers to determine their respective responsibilities in a transparent manner.
  - Quote: "responsibilities"

Sources for Enforcement - operational implication:

- [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance distinguishes controller accountability from processor obedience to instructions.
  - Quote: "on behalf of the controller"

Sources for Overlap and reuse - Processor:

- [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance allows processors some discretion over non-essential means.
  - Quote: "non-essential means"

Sources for Overlap and reuse - Controller:

- [Regulation (EU) 2016/679 (GDPR), Article 4](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 4 makes the role turn on the specific purposes and means of the processing.
  - Quote: "purposes and means"

Sources for Overlap and reuse - operational implication:

- [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance treats role concepts as functional and activity-specific.
  - Quote: "actual roles"

Sources for Practical decision rule - Processor:

- [Regulation (EU) 2016/679 (GDPR), Article 4](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 4 defines processor as processing personal data on behalf of the controller.
  - Quote: "on behalf"

Sources for Practical decision rule - Controller:

- [Regulation (EU) 2016/679 (GDPR), Article 4](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 4 defines controller by determination of purposes and means.
  - Quote: "purposes and means"

Sources for Practical decision rule - operational implication:

- [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance treats role concepts as functional and activity-specific.
  - Quote: "actual roles"

### How should teams close the GDPR role decision?

- Identify the specific processing activity and its exact purpose.
- Record who decides the purpose and essential means, who acts only under documented instructions, and whether decisions are common or converging.
- Attach the Article 28 terms for processor relationships or the Article 26 arrangement for joint-controller relationships.
- Update controller and processor Article 30 records so the role label is visible in the evidence file.
- Reassess when purposes, essential means, subprocessors, data categories, recipients, transfers, or joint decision-making facts change.

Sources for the practical decision rule:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - GDPR Articles 4, 26, 28, and 30 provide the legal basis for the role decision and evidence records.
  - Quote: "records of processing activities"
- [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance provides the practical role-analysis framework for controller, processor, and joint-controller boundaries.
  - Quote: "specific personal data processing"

## Short answer: how do you tell a processor from a controller?

A controller is the party that determines why personal data is processed and the essential means of that processing. A processor is a separate party that processes personal data on behalf of the controller and must not use the data for its own purposes outside the controller's instructions.

The EDPB treats the concepts as functional: the analysis should follow the actual role each party plays in the specific processing operation. Contract wording helps, but it is not enough if the operational facts show that a party decides purposes or essential means.

- Start with the specific processing activity, not the whole vendor, group company, or product.
- Label a party as controller when it decides the purpose or essential means of that processing.
- Label a party as processor when it is separate from the controller and acts on the controller's behalf under instructions.
- Treat a processor that starts using the data for its own purposes as a controller for that processing.
- Do not treat employees or internal teams as separate processors merely because they handle personal data under the organisation's authority.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR), Article 4](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 4 defines controller by determination of purposes and means, and processor by processing personal data on behalf of the controller.
- [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance explains that role labels are functional and must be assessed against the actual processing activity.

## When do Article 28 processor terms apply?

Article 28 applies when processing is carried out on behalf of a controller. The controller must use only processors that provide sufficient guarantees for appropriate technical and organisational measures, and the processing must be governed by a binding contract or other legal act.

The Article 28 record should not be a generic data-processing addendum only. It should identify the subject matter, duration, nature, purpose, personal-data types, data-subject categories, obligations and rights of the controller, and the concrete processor duties that make the instructions operational.

- Keep documented controller instructions, including instructions on international transfers where relevant.
- Record confidentiality duties for authorised personnel and the Article 32 security measures required for the service.
- Track prior specific or general written authorisation for subprocessors and objections to subprocessor changes.
- Document assistance with data-subject rights, security, breach notification inputs, DPIAs, and prior consultation where applicable.
- Keep deletion or return evidence at service end and audit-support evidence showing the processor made compliance information available.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR), Article 28](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 28 sets processor-selection requirements and mandatory processor-contract terms, including instructions, subprocessors, assistance, deletion or return, and audits.
- [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance says processing agreements should include concrete information on how GDPR requirements and security levels will be met.

## When is it joint controllership instead of a processor relationship?

Joint controllership exists where two or more parties jointly determine the purposes and means of the same processing. The EDPB explains that joint participation may come from a common decision or from converging decisions that complement each other and are necessary for the processing in a way that has a tangible impact on purposes and means.

Article 26 requires joint controllers to transparently determine their respective GDPR responsibilities by arrangement, especially for data-subject rights and Articles 13 and 14 information duties. The essence of that arrangement must be made available to data subjects, and data subjects may exercise their rights against each joint controller.

- Use Article 26 when parties jointly determine purposes and means; do not force the relationship into Article 28 if both parties make controller-level decisions.
- Allocate rights handling, privacy information, security, breach notification, DPIAs, processor use, transfers, and authority communications where those issues are relevant to the joint processing.
- Make the arrangement reflect the real roles and relationships, not only a preferred contracting model.
- Keep the internal allocation evidence, because the EDPB treats that analysis as part of accountability documentation.
- Remember that an Article 26 arrangement allocates tasks between joint controllers but does not prevent data subjects from contacting either controller.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR), Article 26](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 26 defines joint-controller arrangements, responsibilities, data-subject access to the arrangement essence, and rights against each joint controller.
- [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance explains common and converging decisions, practical allocation of joint-controller duties, and recommended documentation.

## What evidence should teams keep for the role decision?

Keep evidence at processing-activity level. A useful role file shows the purpose, essential means, party responsibilities, instructions, contract or arrangement, relevant records of processing, and the trigger for reassessing the label.

Article 30 records support this work because controllers must record processing activities under their responsibility, while processors must record categories of processing carried out on behalf of each controller. RoPA entries should therefore preserve the controller, processor, joint-controller, and subprocessor distinctions instead of collapsing every party into a vendor list.

- Role assessment showing who decides the purpose and essential means for the specific processing activity.
- Article 28 contract or legal act, documented instructions, subprocessor approvals, assistance logs, deletion or return record, and audit evidence for processor relationships.
- Article 26 arrangement, responsibility allocation, contact point if designated, and published essence evidence for joint-controller relationships.
- Controller RoPA entry with purposes, data-subject categories, personal-data categories, recipients, transfers, retention where possible, and Article 32 measure description where possible.
- Processor RoPA entry with each controller on whose behalf the processor acts, processing categories for each controller, transfers where applicable, and security-measure description where possible.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR), Article 30](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 30 distinguishes controller records from processor records carried out on behalf of controllers.
- [Irish Data Protection Commission guidance on RoPA under Article 30](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - The DPC guidance explains controller and processor RoPA content, standalone record quality, and the need to make records available to the supervisory authority on request.

## Primary sources

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - GDPR Articles 4, 26, 28, and 30 provide the legal basis for the role decision and evidence records.
  - Quote: "records of processing activities"
- [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance provides the practical role-analysis framework for controller, processor, and joint-controller boundaries.
  - Quote: "specific personal data processing"
- [Irish Data Protection Commission guidance on RoPA under Article 30](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - The DPC guidance explains that RoPA records should be complete, self-contained, and useful for demonstrating accountability.
  - Quote: "complete, self-contained"
- [Regulation (EU) 2016/679 (GDPR), Article 4](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 4 defines controller by determination of purposes and means.
  - Quote: "purposes and means"
- [Regulation (EU) 2016/679 (GDPR), Article 28](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 28 lists the mandatory processor contract or legal-act terms.
  - Quote: "contract or other legal act"
- [Regulation (EU) 2016/679 (GDPR), Article 26](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 26 requires joint controllers to determine their respective responsibilities in a transparent manner.
  - Quote: "responsibilities"
- [Regulation (EU) 2016/679 (GDPR), Articles 28 and 30](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 28 and 30 support processor contract evidence and processor records of categories of processing carried out on behalf of each controller.
  - Quote: "categories of processing"
- [Regulation (EU) 2016/679 (GDPR), Articles 26 and 30](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 26 and 30 support joint-controller arrangements and controller records of processing activities under controller responsibility.
  - Quote: "under its responsibility"
- [Commission Implementing Decision (EU) 2021/915](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32021D0915&ref=sorena.io) - The clauses require the processor to process only on documented instructions and to inform the controller if an instruction infringes data protection law.
  - Quote: "documented instructions"

## Topic Guides

- [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md): A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
- [EU GDPR Applicability Test for Products, Vendors, and Data Flows](/artifacts/eu/general-data-protection-regulation/applicability-test.md): A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
- [EU GDPR Article 30 RoPA Intake Workflow](/artifacts/eu/general-data-protection-regulation/ropa-intake-workflow.md): Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
- [EU GDPR Article 6 Legal Bases FAQ](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md): FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
- [EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence](/artifacts/eu/general-data-protection-regulation/automated-decision-making-and-profiling.md): source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
- [EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow](/artifacts/eu/general-data-protection-regulation/breach-notification-72-hours.md): Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
- [EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records](/artifacts/eu/general-data-protection-regulation/breach-notification-workflow.md): A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
- [EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/checklist.md): Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
- [EU GDPR Children and Special-Category Data Guide](/artifacts/eu/general-data-protection-regulation/children-and-special-categories.md): source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
- [EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/compliance.md): Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
- [EU GDPR Controller, Processor, and Joint Controller Roles](/artifacts/eu/general-data-protection-regulation/controller-processor-and-joint-controller-roles.md): source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
- [EU GDPR Data Subject Rights and DSAR Workflow](/artifacts/eu/general-data-protection-regulation/data-subject-rights-and-dsar-workflow.md): source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
- [EU GDPR deadlines and compliance calendar](/artifacts/eu/general-data-protection-regulation/deadlines-and-compliance-calendar.md): source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
- [EU GDPR DPIA and Prior Consultation Workflow](/artifacts/eu/general-data-protection-regulation/dpia-and-prior-consultation-workflow.md): Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
- [EU GDPR DPIA and risk management under Articles 35 and 36](/artifacts/eu/general-data-protection-regulation/dpia-and-risk-management.md): EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
- [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md): FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
- [EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence](/artifacts/eu/general-data-protection-regulation/dsar-workflow.md): Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
- [EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers](/artifacts/eu/general-data-protection-regulation/faq.md): Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
- [EU GDPR International Transfers and SCCs: Chapter V evidence guide](/artifacts/eu/general-data-protection-regulation/international-transfers-and-sccs.md): source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
- [EU GDPR Lawful Basis and Consent Guide](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-consent.md): Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
- [EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-lia-workflow.md): Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
- [EU GDPR Lead Supervisory Authority and One-Stop-Shop](/artifacts/eu/general-data-protection-regulation/lead-authority-and-one-stop-shop.md): How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
- [EU GDPR LIA Template for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lia-template.md): Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
- [EU GDPR penalties and fines: Article 83 tiers and evidence](/artifacts/eu/general-data-protection-regulation/penalties-and-fines.md): EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
- [EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide](/artifacts/eu/general-data-protection-regulation/processor-contracts-and-vendor-management.md): EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
- [EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields](/artifacts/eu/general-data-protection-regulation/record-of-processing-activities-template.md): Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
- [EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers](/artifacts/eu/general-data-protection-regulation/requirements.md): Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
- [EU GDPR Retention and Erasure Schedule](/artifacts/eu/general-data-protection-regulation/retention-and-erasure-schedule.md): Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
- [EU GDPR SCC Transfer Impact Assessment FAQ](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md): source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
- [EU GDPR Transfer TIA and SCC Workflow](/artifacts/eu/general-data-protection-regulation/transfer-tia-and-scc-workflow.md): A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
- [EU GDPR Transparency Notices: Articles 12, 13 and 14](/artifacts/eu/general-data-protection-regulation/transparency-notices.md): Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
- [EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps](/artifacts/eu/general-data-protection-regulation/gdpr-vs-lgpd.md): Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
- [EU GDPR vs California CCPA: grounded GDPR comparison limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ccpa.md): Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
- [EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications](/artifacts/eu/general-data-protection-regulation/gdpr-vs-eprivacy.md): Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
- [EU GDPR vs UK GDPR: source-limited compliance comparison](/artifacts/eu/general-data-protection-regulation/gdpr-vs-uk-gdpr.md): Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
- [GDPR vs EU AI Act: privacy controls for AI systems](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ai-act.md): Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
- [GDPR vs EU Data Act: personal data safeguards and source limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-data-act.md): Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
- [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md): Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
- [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md): GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.

*Recommended next step*

*Placement: before sources*

## Document controller, processor, and joint-controller boundaries

Sorena can help turn this GDPR role analysis into cited role records, Article 28 checks, Article 26 responsibility maps, and RoPA evidence requests.

- [Open Research Copilot for EU GDPR](/solutions/research-copilot.md): Ask source-linked questions about GDPR controller, processor, joint-controller, Article 28, Article 26, and Article 30 evidence issues.
- [Talk through implementation](/contact.md): Review your GDPR role boundary, processor terms, joint-controller allocation, and evidence gaps with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller