Privacy concepts, explained
Data Controller vs Data Processor: Who's Responsible?
Two organisations can both touch your data, yet only one is answerable for your rights. Knowing which is the controller and which is the processor tells you who to ask, and who actually carries the duties under data-protection law.
In short
A data controller decides why and how your personal data is used, so it carries the legal duties and answers your rights requests. A data processor only acts on the controller's instructions, such as a hosting or payroll firm. The controller is responsible, so it is who you send an access or erasure request to.
The core difference: deciding vs acting on instructions
Data-protection law splits the organisations that handle your personal data into two roles. A data controller is the party that decides why your data is collected and how it is used. A data processor handles that data only on the controller's behalf, following the controller's instructions, without choosing the purpose itself. The same information can pass through both, but the roles are quite different.
A simple example helps. Imagine an online shop that keeps a list of its customers. The shop decides to keep the list, what to use it for, and how long to hold it, so the shop is the controller. The shop then pays a separate company to host its database and send its emails. That company touches the same data but does not decide what it is for, so it is acting as a processor. The decision-maker is the controller; the hired hands are processors.
Under the UK GDPR, for instance, the regulator is the Information Commissioner's Office (ICO), and the law places the primary duties on the controller. This is general information rather than legal advice, but the pattern is consistent: responsibility follows the decision, not the server the data happens to sit on.
- Controller: decides the why and the how of using your data
- Processor: handles the data only on the controller's instructions
- Responsibility follows the decision-maker, not whoever physically stores the data
Who is actually responsible, and to whom
Because the controller decides the purpose, the law makes the controller the party answerable for handling your data lawfully and for responding when you exercise your rights. A processor has its own obligations, mainly around security and acting strictly on instructions, but it is not usually the party that owes you a personal answer about your data.
This is why the distinction is practical and not just academic. A request sent to a processor will often be redirected, because the processor is not permitted to make decisions about your data on its own. It will typically pass your request back to the controller. Sending it to the controller from the start avoids that detour and the delay it causes.
Sometimes two or more organisations jointly decide the purpose together. They may then be joint controllers, and either of them can usually be a valid starting point for a request. If you are ever unsure of an organisation's role, a short, calm question is reasonable: are you the controller for the data you hold about me, or are you processing it for someone else?
- The controller carries the duty to answer your rights requests
- A request sent to a processor is usually redirected to the controller
- Joint controllers share the purpose, so either can be a valid starting point
Why this matters before you send a request
Knowing the roles changes where you start. If you want to ask what an organisation holds about you, or ask it to correct or erase something, the controller is the party that can lawfully act on that request. Identifying it first is the quiet groundwork that makes the rest of the process smoother.
In everyday life the controller is often the organisation you recognise and chose to deal with: the retailer, the bank, the clinic, the app you signed up to. The processors behind them, the hosting providers, analytics firms and mailing services, are usually invisible to you, which is fine, because the recognisable organisation is normally the right one to address.
OSINTA is built to help you understand your own digital footprint and route your own data-rights requests, with the system suggesting and you deciding. Part of that is making the controller-versus-processor question easy to answer, so a request lands with the party who can actually act on it. This article is general information, not legal advice; for your specific situation the ICO's guidance or a qualified adviser is the right reference.
- Identify the controller first; it is the party that can act on your request
- The organisation you recognise and chose is usually the controller
- When in doubt, ask the organisation which role it plays for your data
Frequently asked questions
What is the simplest way to tell a controller from a processor?
Ask who decided the data would be used and what for. The organisation that chose the purpose is the controller. An organisation that only handles the data on someone else's instructions, such as a hosting or payroll provider, is a processor.
Can I send a data-rights request to a processor?
You can, but it is usually redirected. A processor is not permitted to make decisions about your data on its own, so it will normally pass the request back to the controller. Sending it to the controller from the start avoids that delay.
What are joint controllers?
When two or more organisations jointly decide why and how your data is used, they may be joint controllers. Each shares responsibility, and either one can typically be a valid starting point for a request about your data.
Does the processor have any responsibilities at all?
Yes. A processor has its own duties, mainly to keep data secure and to act strictly on the controller's instructions. It is just not usually the party that answers your personal rights requests, because it does not decide the purpose of the processing.
Related terms
This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.
Reviewed by OSINTA's founding lawyer — 2026-06-27.
Send your request to the party that can act on it
Once you know who the controller is, a data-rights request is far more straightforward. See how a clear request comes together.