Data Controller vs Data Processor: Roles, Responsibilities & the Right Tools

If your organization handles personal data — and nearly every business does — GDPR requires you to understand exactly which role you play: data controller, data processor, or both. Getting this wrong isn’t just a compliance risk; it affects what legal obligations apply to you, who bears liability, and which tools you need.

This guide explains the difference between data controller, data processor, and data protection officer (DPO), with practical examples for SaaS companies — and the tools data controllers actually use to stay compliant.

What Is a Data Controller?

A data controller is any natural or legal person, public authority, agency, or other body that determines the purposes and means of processing personal data. In plain English: the controller decides why personal data is collected and how it will be processed.

Under GDPR, data controllers carry the most significant compliance obligations:

• Process personal data lawfully, fairly, and transparently (Article 5)
• Maintain a Record of Processing Activities (RoPA) under Article 30
• Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing (Article 35)
• Ensure Transfer Impact Assessments (TIAs) for cross-border data flows (Chapter 5)
• Respond to data subject rights requests — access, erasure, portability (Chapter 3)
• Appoint a Data Protection Officer (DPO) where required (Article 37)
• Ensure processors only act on documented instructions via a Data Processing Agreement (DPA)

Example: Data Controller in a SaaS company

A B2B SaaS company providing project management software collects names, email addresses, and project data from customers’ employees. The SaaS company decides why this data is collected (to deliver the service) and how it’s processed (stored in their cloud infrastructure, used for product analytics). This makes them the data controller.

Their customers — whose employees’ data is being processed — may also be controllers for their own processing purposes, creating a joint controller relationship in some cases.

What Is a Data Processor?

A data processor is any natural or legal person, public authority, agency, or other body that processes personal data on behalf of a controller. The processor acts under the controller’s instructions and does not determine the purpose of processing.

GDPR obligations for processors include:

• Process personal data only on the controller’s documented instructions
• Implement appropriate technical and organizational security measures (Article 32)
• Notify the controller of any personal data breach without undue delay
• Not engage sub-processors without prior written authorization from the controller
• Delete or return all personal data after service termination (Article 28)

Example: Data Processor in a SaaS context

If the same SaaS company uses Stripe for payment processing, Stripe processes cardholder data on behalf of the SaaS company — not for its own purposes. Stripe is the data processor. When Stripe further delegates processing to its banking partners, those become sub-processors.

The SaaS company must have a valid Data Processing Agreement (DPA) in place with Stripe, and must ensure Stripe (and its sub-processors) meet GDPR security standards.

What Is a Data Protection Officer (DPO)?

A Data Protection Officer (DPO) — or virtual DPO (vDPO) for organizations that outsource the function — is the person responsible for overseeing an organization’s data protection strategy and ensuring GDPR compliance.

GDPR requires a DPO for organizations that:

• Are a public authority or body
• Carry out large-scale systematic monitoring of individuals
• Process special categories of data (health, biometric, criminal) at large scale

Even where not required, many SaaS companies appoint a vDPO as a best practice.

DPO responsibilities include:

• Advising the organization on GDPR obligations
• Monitoring compliance and conducting internal audits
• Acting as the point of contact for supervisory authorities (e.g., DPAs)
• Advising on and reviewing DPIAs
• Training staff on data protection obligations

The liability difference: Controller vs Processor vs DPO

The controller bears the heaviest responsibility. If a processor causes a breach by acting outside controller instructions, they become liable as a controller for that processing.

The GDPR Compliance Obligations Data Controllers Can’t Ignore

Most data controller fines come from failing to implement proper systems for these four obligations:

1. Record of Processing Activities (RoPA) — Article 30

Every data controller must maintain a written record of all processing activities, including:

• Purposes of processing
• Categories of data subjects and personal data
• Recipients and transfers to third countries
• Retention periods
• Technical and organizational security measures

This is not optional above 250 employees, and many DPAs expect it from all controllers.

2. Transfer Impact Assessments (TIA) — Chapter 5

After Schrems II invalidated Privacy Shield, every transfer of personal data outside the EU/EEA requires a TIA when relying on Standard Contractual Clauses (SCCs). A TIA evaluates whether the third country’s surveillance laws and access rights undermine the protections offered by the SCCs.

3. Data Protection Impact Assessment (DPIA) — Article 35

Required for high-risk processing — systematic profiling, large-scale processing of sensitive data, systematic monitoring of public areas. Must be completed before the processing begins.

4. Data Subject Rights Management

Controllers must respond to access, erasure, rectification, and portability requests within 30 days. Without a system to track and action these, compliance is impossible at scale.

Tools Data Controllers Use to Stay Compliant

Managing these obligations manually in spreadsheets leads to audit failures. Purpose-built compliance software for data controllers handles the entire workflow — from RoPA maintenance to TIA documentation to DPIA risk scoring.

Unicis for Data Controllers

Unicis provides a suite of open-source compliance modules purpose-built for data controllers and DPOs:

Record of Processing Activities (RoPA) Maintain a GDPR Article 30 compliant inventory of all processing activities. Document legal bases, data categories, retention periods, and cross-border transfers in structured, auditable records — not spreadsheets.

Transfer Impact Assessment (TIA) Conduct five-step TIAs to evaluate cross-border transfer risks. Pre-built templates for SCCs, BCRs, and adequacy decisions. Available as a Jira app for teams already using Atlassian.

Privacy Impact Assessment / DPIA (PIA) Run GDPR Article 35 DPIAs with quantitative risk scoring, stakeholder review workflows, and corrective action tracking. Documents the risk assessment process for regulators.

Interactive Awareness Program (IAP) Train staff on GDPR obligations with structured, trackable awareness programs. Auto-issue certificates and generate audit-ready completion reports for your evidence package.

Cybersecurity Controls (CSC) Implement the technical and organizational measures (TOMs) required under GDPR Article 32. Map controls across MVSP, ISO 27001, NIS2, and GDPR simultaneously.

Who Needs a DPA? (Data Processing Agreement)

Any time a controller engages a processor to handle personal data, a Data Processing Agreement (DPA) is required under GDPR Article 28. This applies to:

• Cloud hosting providers (AWS, Azure, GCP)
• SaaS tools that process employee or customer data
• Marketing platforms (email, CRM, analytics)
• Payment processors
• HR and payroll systems

The DPA must specify what data is processed, for what purpose, security requirements, breach notification obligations, and data deletion terms. Unicis maintains a Data Processing Agreement (DPA) for customers using the cloud-hosted platform.

Summary: Controller, Processor, DPO at a Glance

Understanding which role your organization plays determines everything — your GDPR obligations, the tools you need, and your exposure to fines.

• Data Controller: You decide why and how personal data is processed → full GDPR obligations apply → you need RoPA, TIA, DPIA, DSR management
• Data Processor: You process data on a controller’s behalf → limited obligations → you need a DPA and must follow controller instructions
• DPO: You oversee compliance → advisory role → mandatory for certain organizations, best practice for all

If you’re a SaaS company handling customer data, you’re almost certainly a data controller — and you need systematic tools to manage your compliance obligations. Spreadsheets don’t pass audits.

Start managing data controller obligations with Unicis → Community plan is free forever — RoPA, TIA, and GDPR controls included. No credit card required.