Skip to main content

Understanding the Data Privacy Roles: Controller, Processor, and Data Protection Officer

· 4 min read
Predrag Tasevski

There are many terms and roles in the world of data protection and privacy that can be confusing. The controller, processor, and data protection officer are three of the most commonly misunderstood roles. Understanding the distinctions between these roles is critical for ensuring compliance with data protection regulations and protecting your customers', clients', and employees' privacy.

What Is A Controller?

A controller is a natural or legal person, governmental authority, agency, or other body that determines the purposes and methods of processing personal data. The controller is the organization that decides why and how personal data is processed. Furthermore, join controller has a shared purpose and agrees on the purpose and means of processing data with data controller, but this does not apply if the same data is used for different purposes.

Under data protection regulations, controllers must:

  • Ensure that personal data is processed lawfully, fairly, and transparently;
  • Only collect personal data for specific, explicit, and legitimate purposes;
  • Ensure that personal data is accurate and up to date;
  • Keep personal data secure; and
  • Provide individuals with certain rights, such as the right to access their personal data.

Example of Data Controller

When a SaaS company provides a cloud-based project management tool, it may collect and process personal data from its customers' employees or contractors, such as names, email addresses, and project details. The SaaS company would be the data controller in this case, as it determines the purposes and means of processing this personal data.

What Is A Processor?

A processor is any natural or legal person, public authority, agency, or other body that processes personal data on the controller's behalf. In other words, a processor is the organization that actually performs personal data processing on behalf of the controller. When a data processor chooses to sub-contract some or all of the data processing to a third party is commonly referred to as a "sub-processor".

Processors are also required by data protection regulations to:

  • Only process personal data in accordance with the controller's instructions
  • Ensure personal data security
  • Assist the controller in meeting their obligations under data protection regulations
  • Inform the controller of any breaches or security incidents involving personal data

Example of Data Processor

If a SaaS company provides an online payment processing service as part of its application, the payments may be processed by a third-party payment processor such as Stripe or PayPal. The payment processor is the data processor in this case because it processes personal data (such as credit card numbers and billing addresses) on behalf of the SaaS company's customers.

Unicis Platform Beta

With Unicis, you can manage tasks for security, privacy, and compliance team in one place.
Collaborate accross multiple teams about gap analysis, register of procedures and transfer impact assessment.

What Is A Data Protection Officer (virtual DPO)?

A data protection officer (DPO) is a person who may be an in-house employee or an external consultant acting as a virtual DPO and charge of overseeing a company's data protection strategy and ensuring compliance with data protection regulations. The General Data Protection Regulation (GDPR) requires a DPO for certain types of organizations, such as those that process large amounts of sensitive personal data or conduct large-scale monitoring of individuals.

A DPO's responsibilities include the following:

  • Educating the organization and its employees on data protection regulations and best practices;
  • Advising the organization on its data protection strategy;
  • Monitoring the organization's compliance with data protection regulations; and
  • Acting as a point of contact for individuals and regulators regarding data protection issues.

Example of a (virtual) Data Protection Officer

The DPO or virtual DPO would collaborate closely with the management and technical teams of the SaaS company to assess the company's data protection risks and develop policies and procedures to mitigate those risks. They would also provide data protection best practices guidance and training to the company's employees, as well as monitor compliance with data protection regulations.

The Difference and Liability?

The main distinction between a controller and a processor is that the controller decides why and how personal data is processed, whereas the processor actually performs that processing on behalf of the controller. The DPO, is in charge of overseeing an organization's data protection strategy and ensuring compliance with data protection regulations. To put it another way, the controller and processor are more concerned with the operational aspects of data processing, whereas the DPO is concerned with the strategic and compliance aspects. While all three roles are important for ensuring personal data protection and compliance, only the data controller and processor are personally liable.


Any organization that processes personal data must understand the roles and responsibilities of controllers, processors, and data protection officers. Organizations can build TRUST with their customers and stakeholders while avoiding costly legal and reputational consequences by ensuring compliance with data protection regulations and protecting individuals' privacy.


As a result, Unicis.Tech has created a suite of apps to assist the data controller, data processor, and DPO or vDPO.

  • The Record of Processing Activities (RoPA) app in Atlassian Jira is an inventory app that helps data processors handle personal data in accordance with the controller's instructions. In addition, assist the DPO in monitoring compliance with data protection regulations.
  • The Transfer Impact Assessment (TIA) for Jira app assists the DPO/vDPO as well as the data controller and processor in evaluating the security risks and data impact of transfers to third-party nations or countries within and outside the European Economic Area.
  • The Cybersecurity Controls (CSC) Jira app assists the DPO with strategic, technical, and organizational measures (TOMs) to advise the organization on how to have a minimum viable secure product and services.
  • The Interactive Awareness Program (IAP) app for Confluence assists DPOs and vDPOs in developing custom data protection regulations, security, compliance, and best practices education programs for the organization and its employees.

Please see the prices here and send us a request for more information.