RegSol Blog


Who is the Controller and Who is the Processor?

October 2020

On September 7, 2020, the European Data Protection Board (“EDPB”) released guidelines on the concepts of controller, joint controller and processor in the EU General Data Protection Regulation.

Often a bone of contention amongst those who draft contracts, controllers determine the purposes and means of processing, the why and how of processing, while processors cannot process data without the controller’s instructions.

Contention arises on where the line is drawn on those decisions, since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice.

The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent.

Click HERE to read the guidelines.



By Judy de Castro
Regulatory Consultant