Managing Controller & Processor responsibilities under GDPR: Practical Insights

How do you define responsibilities between controllers and processors in your privacy program - and how do you ensure you're staying compliant in practice?

In our recent Openli Community webinar, "Controller & Processor – How to Manage the Responsibilities in Practice?", we dove deep into the core definitions, responsibilities, and practical challenges facing legal professionals. 

Helena Brandt and Josefine Karlsson from Fondia share their advice and knowledge in this article.

‍

Setting the Scene: Why is it important

Understanding the distinctions between 

• data subjects, 
• controllers, 
• processors, and 
• sub-processors 

isn’t just academic - it’s foundational. 

Without a clear grasp on these definitions, legal teams risk misallocating responsibilities and failing compliance obligations.

Controllers determine the “why” and “how” of data processing. Processors act on their behalf. 

‍

Latest Developments: The EDPB’s Opinion

The European Data Protection Board’s (EDPB) 2024 Opinion 22 clarified expectations around GDPR Article 28:

• Controllers must maintain accurate records of all processors and sub-processors, including names, addresses, and contacts.
  
  
• Processors should proactively provide this information, maintaining transparency and building trust.
  
  
• Controllers have a duty to verify safeguards, regardless of the processing risk.
  
  
• Risk-adapted verification strategies are recommended.
  
  
• Transfers to third countries must comply with both Article 28 and 44 - including appropriate safeguards and documentation like TIAs (Transfer Impact Assessments).
  
  

Legal teams must ensure continuous oversight of data relationships and potential cross-border transfers.

‍

Controller vs. Processor: The practical struggle

Many organizations struggle to define their role. 

It's common - and increasingly accepted - for entities to act as both controller and processor depending on the situation or service provided.

A key takeaway? Re-evaluate your role regularly. Your processing activities and partnerships evolve, and so should your role assessments. And don’t rely solely on contractual definitions: regulators look at the reality of the relationship.

📝 Tip: Ask yourself, "Who benefits from the processing?" and "Who dictates how it's done?"

‍

Contracts & DPAs: Tools for Clarity

Data Processing Agreements (DPAs) are more than legal formalities - they're operational blueprints.

✅ Controllers must:

• Provide clear instructions.
  
  
• Ensure compliance throughout the contract chain.
  
  
• Use their own DPA templates where possible—or at least benchmark against them.
  
  
• Log deviations from standard terms for future audits.
  
  

✅ Processors should:

• Use tailored instruction appendices.
  
  
• Ensure contractual simplicity and clarity.
  
  
• Be transparent with sub-processors and controllers.
  
  

Legal design matters too: An overly complex DPA may be unreadable in a breach scenario. Aim for simplicity without sacrificing accuracy.

‍

Navigating Transfers & Geopolitical Risks

With the EU-U.S. and UK adequacy decisions under increased scrutiny - especially following policy shifts under President Trump’s administration - transfers must be handled with care.

Controllers and processors should:

• Map data flows and assess third-country dependencies.
  
  
• Maintain TIAs for high-risk transfers.
  
  
• Prepare for adequacy decisions being overturned (as happened with Privacy Shield).
  
  
• Consider Binding Corporate Rules (BCRs) for intra-group transfers—despite their complexity.
  
  

The key? Be proactive. Know your exposures and create exit strategies where possible.

‍

Checklist for Privacy Teams

📌 For Controllers:

• Map processing activities and data flows.
  
  
• Track and manage processor and sub-processor relationships.
  
  
• Maintain, audit, and review DPAs.
  
  
• Conduct risk-based supplier assessments.
  
  
• Monitor adequacy decisions and prepare alternatives.
  
  

📌 For Processors:

• Keep sub-processor data current.
  
  
• Provide transparent and timely updates to controllers.
  
  
• Use tools to automate tracking and reporting.
  
  
• Build trust by being proactive—not reactive.
  
  

Conclusion: Work Smarter, Not Harder

Managing controller and processor roles is increasingly complex - but it doesn’t have to be overwhelming. Use technology to streamline tasks, maintain visibility, and ensure documentation is audit-ready. As Helena wisely noted, "You can only come so far with Excel."

Whether you're a solo legal counsel or part of a large privacy team, the right mix of clarity, process, and tooling can transform compliance from burden to opportunity.

‍