Privacy & Data Protection

Difference between a Data Controller and a Data Processor

Author: Preslav Baldzhiev

With the entry into force of the General Data Protection Regulation (GDPR) in 2018, several changes took place to ensure the security of the average user.

What is a Data Controller?

The term Data Controller has its legal definition in Article 4 (7) of the GDPR. According to it, a Data Controller “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”.

Presented in a more comprehensive way, the Data Controller is a structure that independently collects personal data on some legal ground (consent, the performance of a contract, legal obligation, etc.) The legal ground for the collection of personal data must be assessed on a case-by-case basis.

The collected personal data cannot be processed arbitrarily – their processing is related to the purposes for which they were collected, and which are determined by the Data Controller (execution of an online order).

The Data controller shall also comply with the period until which the processing and storage of personal data are admissible – in the GDPR the term is explained as “not longer than necessary”. With this in mind, the Data Controller is obliged to set specific deadlines after the expiration of which the legal grounds for the processing of personal data will cease to exist, and the personal data must be deleted. These deadlines can vary -the purpose and means are important in determining them.

It is possible that the data will be collected by two or more Data Controllers – then there will be joint controllers. In this case, the Data Controllers must jointly determine the purposes and means of the processing, and the data subjects may exercise their rights individually to each of them.

An example of a Data Controller is Spedition companies – They collect personal data in order to fulfill their obligation under a contract of carriage/forwarding contract. Another example of Data Controller Medical Establishments (hospitals) – upon admission of a patient, the medical establishments collect and process his/her personal data.

Until 25.05.2018 the Data Controller had to be entered into a special register at the Commission for Personal Data Protection.

What is Data Processor?

The Data Processor also has a legal definition – Article 4 (8) of the GDPR. According to this provision, the Data Processor is a “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

This means that the Processor is a separate third party with the Data Controller and the Data subject, but unlike them, the participation of the Data Processor is not mandatory.

For comparison by the Data Controller, the Data Processor cannot collect personal information himself – it is always provided to him by the Data Controller on whose behalf he acts.

The Data Processor bases the processing of personal data on an agreement with the Data Controller. The agreement specifies the time and purposes for which the personal data will be processed (any deviation from the agreed will mean that the Data Processor will start acting like a Data Controller, another question is whether there will be legal grounds), the obligations of the Data Processor, as well as liability and Non-disclosure clause. An important feature is that the agreement is prepared by the Data Controller. Otherwise, the preparation of the agreement by the Data Processor will mean that the Data Processor will determine the legal grounds and purposes for the collection of personal data (the Data Processor will become a Data Controller).

An example of a Data Processor is an accounting firm that has personal data on the employees of a client company. Personal data will be used to pay salaries.


Data ControllerData Processor
Method of collecting personal dataCollected by themselvesProvided by the Data Controller
PurposesDetermined by themselvesDetermined by the Data Controller
Legal groundsDifferentOnly by an agreement
Processing timeDepending on the DataAs agreed with the Data Controller

This material prepared by Preslav Baldzhiev aims to provide more information about the difference between the data controller and the data processor. It does not constitute a legal opinion and cannot be interpreted as individual consultation on any concrete facts or circumstances. The advice of a specialist should be obtained for specific questions and situations. For more information on the above-mentioned issues and individual consultations, please contact the team of the law firm of Krasimira Kadieva at 00359 882 308 670 or make an inquiry using the contact form of the website. Since 2017 Preslav Baldzhiev is a law student at Sofia University “St. Kliment Ohridski “, having previously graduated from the High School of mathematics and natural science “Acad. Nicola Obreshkov” in Burgas. In February 2020 he took a course for industrial property representatives at the Patent Office of the Republic of Bulgaria in the field of trademarks, geographical indications, and industrial designs. He is interested in intellectual property, personal data protection, commercial and law on obligations and contracts and also regularly attends conferences, practical courses, seminars, and webinars.

error: Content is protected !!