GDPR Roles

What are the different GDPR roles?

Data controller

A data controller is the person or legal entity that determines the purpose of the processing of personal data and how the data is processed.

In short, the role of the data controller will be to dictate how and what data is going to be used.

Read more about the responsibilities of a data controller.

Data processor

A data processor is the person or legal entity that processes data on behalf of the data controller.

Processors do not have the same role or obligations as controllers under the GDPR. However, as a processor you are also responsible for ensuring that you comply with the GDPR and demonstrate compliance with the GDPR data protection principles.

Read more about the responsibilities of a data processor.

Data subprocessor

A subprocessor is a data processor handling data on behalf of a company that is also acting as a data processor. Acting as a subprocessors, the company will have or potentially will get access to the personal data of the data controller’s customers.

An example of a subprocessor could be if a software company delivers HR software to customers. If the customers of the HR company add personal data about their employees, the HR company would then be a data processor. If the HR company uses AWS as a cloud hosting service, AWS would then be the subprocessor of the HR company.

Read more about the responsibilities of a data subprocessor.

Data protection officer (DPO)

A data protection officer ensures that the company complies with the GDPR. As a company you should appoint a DPO, if you process personal data as your core activity.

Read more about the responsibilities of a data protection officer.

Supervisory Authority

Supervisory authorities are independent public authorities that supervise the application of the data protection law. They provide advice on data protection issues and handle complaints lodged against violations of the GDPR and the relevant national laws

Read more about the responsibilities of supervisory authorities.

GDPR representative

Companies must appoint a GDPR representative if they are located outside the EU/EEA, but are targeting the European market. The representative’s role is to ensure that companies comply with the GDPR by enabling communication with individuals in Europe and European data protection authorities.

Read more about the responsibilities of GDPR representative.

Joint controllers

Not all vendors that you share data with are data processors. In cases where the vendor processes personal data for their own purposes, the vendor is also considered to be a controller. Joint controllers jointly determine the purposes and means of the processing.

Read more about the responsibilities of joint controllers.

Learn more about Privacy Hub →