How does GDPR define a “data controller” and “data processor”?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
When you send marketing email to your subscribers, two distinct GDPR roles come into play.
You're the data controller: you decide what data to collect, why, and how it's used. You determine who receives it and for how long. You bear primary responsibility for GDPR compliance and are accountable directly to your subscribers and to data protection authorities.
Your email service provider is typically the data processor: they process personal data on your behalf and under your instructions. They send emails containing subscriber data because you told them to. They don't independently decide what to do with your list. Processors have their own GDPR obligations (security measures, assisting with rights requests), but they operate within the scope you define.
The lines can blur. Your ESP is your processor for campaigns, but they may be a controller for their own marketing to you. GDPR requires a written Data Processing Agreement (DPA) between you and any processor handling EU subscriber data. Most major ESPs provide these. Check your account settings or ask support if you haven't signed one. Joint controller arrangements also exist when two organizations together determine processing purposes.
Your next step: verify you have a signed DPA with your ESP and any other third party that processes your subscriber data. If you can't find it in your account, ask them directly, most publish these publicly now. For subscriber-facing obligations, you as the controller are responsible regardless of which processor you use. This is general information, consult a GDPR specialist for advice specific to your situation.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.