Controller vs Processor Responsibilities Checklist

A reusable checklist for deciding controller vs processor responsibilities across products, vendors, support, analytics, and changing workflows.

Figuring out whether your team is acting as a controller, a processor, or both is one of the most practical privacy compliance decisions you will make. It affects contracts, product design, security controls, incident handling, customer messaging, and who must answer for data subject rights. This guide gives you a reusable, real-world checklist for assigning GDPR roles across products, vendors, and internal teams so you can make defensible decisions before signing a deal, launching a feature, or changing a workflow.

Overview

Here is the short version: a controller decides the purposes and means of processing personal data, while a processor handles personal data on behalf of a controller. That framing is consistent with standard GDPR terminology and is reflected in practical vendor guidance as well. In Microsoft’s GDPR materials, for example, the customer is typically the controller for its customer data, while Microsoft acts as a processor for online services when it follows the customer’s documented instructions.

In practice, this sounds simple but breaks down quickly once teams look at analytics, logging, support access, AI features, subcontractors, and shared decision-making. A company can be a controller in one workflow and a processor in another. It can also be a processor for one category of data and an independent controller for another, especially where service improvement, security logging, fraud prevention, or legal compliance are involved.

For technology teams, the safest evergreen approach is to stop treating controller vs processor as a label for an entire company and start treating it as a role assigned per processing activity. That means asking, for each workflow: who decided why the data is being processed, who decided the essential means, whose instructions govern the activity, and what contract or notice supports that decision.

Use this article when you are:

reviewing a new SaaS vendor
building a customer-facing product
adding analytics, support tooling, or AI features
drafting or negotiating a data processing agreement checklist
updating your RoPA template or privacy notice requirements
preparing for audit work tied to privacy compliance or SOC 2 readiness

If you need a broader operational baseline, pair this with our GDPR Compliance Checklist for SaaS Companies and our SOC 2 Readiness Checklist by Control Area.

Core rule of thumb: if your team decides why personal data is used and the key decisions about how it is used, you are usually acting as a controller for that processing. If your team is handling the data only to deliver a service under someone else’s instructions, you are usually acting as a processor.

Checklist by scenario

This section gives you practical checklists you can reuse by scenario. The goal is not to force a legal answer from one question, but to help product, security, procurement, and privacy teams reach an operationally consistent conclusion.

Scenario 1: You run a product used by your own customers

Typical answer: you are usually the controller for account, billing, user management, product operations, and customer communications. You may also use subprocessors.

Do you decide what personal data users must provide to sign up?
Do you decide retention periods, account lifecycle rules, and product analytics settings?
Do you choose the core functionality and decide what data is necessary to provide it?
Do you publish the privacy notice that explains why the data is processed?
Do you decide whether data is used for marketing, fraud prevention, or service improvement?

If the answer is yes to most of these, your organization is likely acting as controller for those activities. Your cloud host, CRM, support platform, and email platform may then act as processors or subprocessors, depending on the function and contract.

Operational follow-up:

Map each processing activity in your RoPA template.
Make sure your privacy policy compliance work reflects actual product behavior.
Check that each vendor handling customer data has appropriate contractual terms.
Align your access control policy example, logging design, and data retention policy template with the role you have assigned.

Scenario 2: You provide SaaS infrastructure to a business customer

Typical answer: your customer is often the controller for the customer data they upload, and you are often the processor for that customer data.

Are you processing personal data to deliver the contracted service rather than for your own independent purpose?
Do you follow documented customer instructions for storage, deletion, export, and access?
Does your contract describe you as processing data on behalf of the customer?
Can the customer configure or control key parts of the processing?
Are your internal teams trained not to repurpose customer data beyond what the contract and law allow?

If yes, processor status is often the most defensible conclusion for the customer data handled within the service. This is the classic setup reflected in many enterprise cloud relationships.

But pause before simplifying: some surrounding activities may still make you an independent controller for limited purposes, such as certain security logs, fraud detection, billing, or legal compliance records. The safest interpretation is to document those processing activities separately instead of assuming one role covers everything.

Operational follow-up:

Maintain a clear data processing agreement checklist.
List subprocessors and explain their role.
Document how customer instructions are received and implemented.
Define boundaries for support access, diagnostics, and system-generated logs.

Scenario 3: You are a vendor with support access to customer environments

Typical answer: often processor, but the details matter.

Is support access temporary, ticket-based, and approved by the customer?
Are support engineers limited to troubleshooting under documented instructions?
Do you restrict access through role-based controls and session logging?
Do you prohibit using accessed data for unrelated internal purposes?
Do you define retention and deletion rules for support artifacts, screenshots, and exports?

When support access is tightly scoped to fulfilling the service, processor treatment is often appropriate. If support artifacts are later mined broadly for internal research or model training without a customer-directed basis, the role analysis can change.

Scenario 4: You use third-party analytics or product telemetry

Typical answer: your company is usually the controller for deciding to collect analytics; the analytics vendor may be a processor, though some vendors may position themselves differently depending on how they use the data.

Who chose to implement the analytics tool?
Who decided which events, identifiers, and user attributes will be sent?
Can the vendor use that data for its own purposes beyond providing the service?
Do your notices accurately describe the analytics processing?
Have you reviewed data minimization and retention settings?

This is a frequent source of confusion. The fact that a vendor provides the code or dashboard does not make them the controller automatically. Start with who determines the purpose of tracking and whether the vendor is acting on your behalf or for its own independent purposes.

For teams building new telemetry-heavy features, this is also a good time to revisit privacy-preserving design patterns. Our piece on Architectural Patterns to Resist Bulk Data Analysis Requests is useful if you are trying to reduce unnecessary exposure while preserving utility.

Scenario 5: You process HR, payroll, or applicant data internally

Typical answer: your organization is usually the controller for employee and applicant data it collects and manages.

Do you decide why candidate data is collected and how long it is kept?
Do you choose the HRIS, payroll provider, and recruiting stack?
Do you determine access privileges for managers, HR, and finance?
Do you issue internal notices and policies for workforce data?

In most cases, the employer is the controller and the HR platforms are processors for the relevant services. Again, map each processing activity carefully rather than relying on procurement shorthand.

Scenario 6: You act as a managed service provider or security operator

Typical answer: often processor for customer environment monitoring and administration, but some activities may be separate.

Are you following customer instructions for monitoring, patching, incident handling, and access?
Do you define detection logic independently, or under agreed service scope?
Do you retain customer event data only as needed for the service?
Do you use customer data to improve your own generalized detections or threat intelligence?

Security services create mixed-role situations more often than teams expect. Running alerts and response actions on behalf of a customer points toward processor activity. Using the same data set for your own long-term intelligence products, benchmarking, or unrelated research may require separate analysis and disclosure.

Scenario 7: You rely on subprocessors

Typical answer: if you are a processor and engage another provider to help deliver the service, that provider is commonly your subprocessor.

Do you have authorization from the controller to use subprocessors?
Can you provide a current subprocessor agreement or subprocessor list?
Do downstream terms impose equivalent protection obligations?
Have you documented cross border data transfer compliance where relevant?
Do customers have a process to receive notice of subprocessor changes?

This is where role clarity matters operationally. If you are the processor, you usually cannot leave subprocessor governance to procurement alone. Privacy, security, engineering, and vendor management all need a shared inventory.

For broader supplier oversight, see What a 'Supply Chain Risk' Label Means for AI Vendors — A CISO's Checklist.

Typical answer: this may be a joint controller or independent controller scenario, not a processor scenario.

Are two parties jointly deciding the purpose of the processing?
Are both parties influencing the essential means?
Would the processing still occur in roughly the same way if one party withdrew?
Are both parties collecting value directly from the activity?

If both parties substantially shape why the personal data is used, treat that as a sign to stop using the processor label casually. This area needs more careful role design, transparent notices, and clear allocation of responsibilities.

What to double-check

Once you have a provisional answer, work through these checks before operationalizing it.

1. Separate the company from the processing activity

Do not ask, “Are we a controller or processor?” Ask, “For this workflow, what role are we playing?” The same company may be controller for user accounts, processor for hosted customer content, and separate controller for billing and security logs.

2. Compare the contract to actual behavior

A DPA cannot fix a role assignment that your product contradicts. If the agreement says you act only on customer instructions, but your engineering roadmap includes broad internal reuse of customer data, you have a governance problem. Review the DPA, privacy notice, security policy template, and product design together.

3. Check the real decision-makers

The decisive question is not who stores the data but who determines the purpose and essential means. This often becomes clear when you ask:

Who selected the fields?
Who decided retention?
Who approved secondary use?
Who can say no to a new use case?

4. Review logs, diagnostics, and metadata separately

System-generated logs and service telemetry are often handled differently from customer-uploaded content. Source material in enterprise cloud settings commonly distinguishes customer data from system-generated logs for exactly this reason. Treat logs, identifiers, support artifacts, and diagnostics as their own processing categories and assign roles deliberately.

5. Make sure notices and rights handling line up

If you are the controller, your privacy notice requirements, lawful basis analysis, retention disclosures, and rights response workflows need to match reality. If you are the processor, you need a clear route for helping the controller meet requests without answering beyond your role.

6. Verify security and incident responsibilities

Role assignment should connect directly to your cybersecurity compliance work.

Who detects and escalates a breach?
Who informs whom, and on what timeline?
Who preserves evidence?
Who communicates with affected customers or data subjects?

This is especially important for breach notification requirements and incident response plan template reviews. If your role model is vague, incident handling will be vague too.

7. Confirm cross-border and subprocessor implications

Even where the controller-processor split is clear, teams still need to ask where data is stored, who can access it, and what transfer mechanism or contractual framework supports that movement. Vendor role classification should feed directly into your transfer review and third party risk management process.

Common mistakes

These are the mistakes that create the most avoidable friction during audits, customer reviews, and internal escalations.

Calling every vendor a processor

Some vendors process on your behalf; others may act as independent controllers for their own service operations, fraud prevention, billing, or legal compliance functions. Treat role allocation as a workflow question, not a default procurement checkbox.

Using one label for all data types

Customer content, employee data, account records, payment details, and telemetry may not share the same role assignment. Splitting them out early makes your RoPA template, DPA review, and audit evidence checklist much stronger.

Ignoring internal teams

Privacy compliance roles are not just about external vendors. Product, support, marketing, security, and data teams may each trigger distinct controller decisions. If no one owns those decisions, your documented role model will drift from reality.

Forgetting about secondary use

A service can begin as straightforward processor activity and become something else when the provider starts using the data for training, benchmarking, advertising, or generalized analytics. If the business relationship changes, revisit the role assignment immediately.

Assuming security access is exempt from role analysis

Security monitoring, support sessions, and incident response often involve sensitive personal data. These activities still need purpose limitation, access controls, retention rules, and contractual clarity. Articles like Browser AI + Extensions = New Attack Surface: Hardening Policies After the Chrome Gemini Vulnerability show how quickly technical changes can alter the privacy and security posture of a workflow.

Leaving the answer only in legal documents

If engineering tickets, architecture diagrams, data maps, and onboarding runbooks do not reflect the same role logic, the organization will not operate consistently. Controller and processor decisions should appear in procurement review, vendor inventories, data flow diagrams, and incident runbooks.

When to revisit

This checklist is worth revisiting whenever the underlying facts change. In real teams, role assignments rarely fail because the original answer was impossible; they fail because no one updated the answer after the product, contract, or workflow changed.

Revisit your controller vs processor analysis when:

you launch a new product line or feature
you add analytics, AI, or user behavior tracking
you onboard a new vendor or subprocessor
you enter a new region and need cross border data transfer compliance review
you change retention, deletion, or backup architecture
you expand support access or managed services scope
you start using customer data for service improvement or training
you revise your privacy notice, DPA, or security policy template
you prepare for annual planning or a compliance audit

Practical quarterly review routine:

Pick your top ten processing activities by sensitivity or volume.
For each one, identify the purpose, essential means, and current decision-maker.
Compare that map to your contracts, privacy notices, and vendor records.
Flag any workflow where actual behavior has outgrown the documented role.
Assign remediation owners across legal, privacy, engineering, and security.

Before you act on any new workflow, ask these five questions:

Why is this personal data being processed?
Who decided that purpose?
Who decided the essential means?
Whose instructions govern the processing day to day?
Do our contracts, notices, and controls reflect that answer?

If you can answer those clearly, you are usually in a strong position to classify the role, scope the right obligations, and avoid confusion later. If you cannot, pause the rollout and resolve the governance gap first.

That is the enduring value of this topic: every new feature, vendor, and process change can alter privacy compliance roles. Keep this checklist close, review it before seasonal planning cycles, and use it whenever tools or workflows change. It is much easier to assign controller and processor responsibilities before launch than to reconstruct them during an audit or after an incident.