How does GDPR define a “data controller” and “data processor”?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

When you send marketing email to your subscribers, two distinct GDPR roles come into play.

You're the data controller: you decide what data to collect, why, and how it's used. You determine who receives it and for how long. You bear primary responsibility for GDPR compliance and are accountable directly to your subscribers and to data protection authorities.

Your email service provider is typically the data processor: they process personal data on your behalf and under your instructions. They send emails containing subscriber data because you told them to. They don't independently decide what to do with your list. Processors have their own GDPR obligations (security measures, assisting with rights requests), but they operate within the scope you define.

The lines can blur. Your ESP is your processor for campaigns, but they may be a controller for their own marketing to you. GDPR requires a written Data Processing Agreement (DPA) between you and any processor handling EU subscriber data. Most major ESPs provide these. Check your account settings or ask support if you haven't signed one. Joint controller arrangements also exist when two organizations together determine processing purposes.

Your next step: verify you have a signed DPA with your ESP and any other third party that processes your subscriber data. If you can't find it in your account, ask them directly, most publish these publicly now. For subscriber-facing obligations, you as the controller are responsible regardless of which processor you use. This is general information, consult a GDPR specialist for advice specific to your situation.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me figure out my GDPR controller/processor roles and what agreements I need in place.

I read this on the Email Almanac about how GDPR defines data controllers and processors. I want to figure out my role in my email program and what obligations that creates. My situation: 1. Who decides what subscriber data to collect and how to use it? me / my ESP / both 2. Does my ESP process subscriber data according to my instructions? yes / no / unsure 3. Have I signed a Data Processing Agreement (DPA) with my ESP? yes / no / unsure 4. Do I share subscriber data with other third parties (analytics, CRM, ad networks)? yes, which ones / no 5. Have I checked whether I have joint controller arrangements with any partners? yes / no / not applicable --- My details: - Email platform/ESP: e.g. Mailchimp, SendGrid, HubSpot - Domain(s): your sending domain - Audience locations: US only / EU / global - Business type: B2B / B2C / both - GDPR compliant already: yes / partially / no

Edit the yellow boxes, then send to the AI of your choice.