Data Broker vs Data Controller: What's the Difference?

What a "data controller" actually means

Under UK GDPR, a data controller is the organisation that decides the purposes and the means of processing your personal data. In plainer terms, it is whoever is in the driving seat: the party that chooses why your information is collected and how it will be used. Your bank, your employer, an online shop you bought from, and a charity you donated to are all controllers of the data they hold about you.

The label matters because the law attaches most responsibilities to the controller. A controller has to have a lawful basis for using your data, has to keep it accurate and secure, and has to answer when you ask to see, correct, or delete it. When you send a data subject access request or an erasure request, you are normally writing to a controller.

A controller is different from a processor, which is a third party that handles data only on the controller's instructions, such as a cloud-hosting company or a payroll service. The processor follows orders; the controller sets them.

• A controller decides the why and how of using your data.
• Most legal duties, and most of your rights, point at the controller.
• A processor only acts on a controller's instructions and carries fewer duties.

Where the data broker fits in

A data broker is a particular type of controller. Its business model is to gather personal information about large numbers of people, combine it into profiles, and license or sell access to that information. The defining feature is that a broker usually has no direct relationship with the people in its records. You did not sign up with it, and you may never have heard of it.

Because a data broker decides the purposes and means of its own processing, the law treats it as a controller with all the same responsibilities: a lawful basis, accuracy, security, and the duty to respond to your rights requests. The people-search sites and marketing-list companies you might find when you look yourself up online typically sit in this category.

So the relationship is one of nesting, not opposition. "Controller" is the broad legal category. "Broker" is a narrower commercial description of one kind of controller. Every data broker is a controller, but the vast majority of controllers, such as your dentist or your gym, are not brokers.

• A broker collects and sells data about people it has no direct relationship with.
• A broker is still a controller and carries the same legal duties.
• Every broker is a controller; most controllers are not brokers.

Why the distinction matters for your rights

Knowing which kind of organisation you are dealing with helps you set realistic expectations. With a controller you have a relationship with, the context is often clear: you know roughly what data they hold and why. With a data broker, the harder first step is simply finding out that they hold anything about you at all, because the collection happened indirectly.

Your rights, however, are the same in both cases. You can ask either one what they hold about you, ask them to correct mistakes, and in many situations ask them to stop or erase. Under UK GDPR these requests usually go to the controller, whether that controller is a familiar company or a broker you have only just discovered.

This article is general information, not legal advice. Where a broker operates under a different country's rules, the same idea tends to hold under that jurisdiction's own law and regulator, even though the exact wording and time limits vary. If a request is refused or ignored, you can raise the matter with the relevant data protection regulator.

• With a broker, the first challenge is discovering it holds your data at all.
• Your access, correction, and erasure rights apply to both equally.
• If a request stalls, the data protection regulator is your next step.

Frequently asked questions

Related terms

• Data broker
• Data controller
• Personal data
• GDPR (General Data Protection Regulation)