Summary
- In this article it is argued that the distinction between controllers and processors is problematic, particularly in the complex processing environment created by new technologies. The trend is towards regulators and the courts finding that parties are controllers rather than processors in order to ensure protection of individuals.
- Organisations which fail to carefully consider whether they are a controller or a processor may be taking on legal risk and the potential for reputational damage.
- Completing meticulous and realistic analysis and accepting controller responsibilities where appropriate may bring significant advantages. Organisations accepting controller responsibilities can use the processes and tools set out in data protection law to demonstrate that their technologies operate in ways that protect individuals’ fundamental rights (but also constitute, where appropriate, a proportionate interference in those rights). This can bring commercial advantages, promote trust and effectively manage legal risk.
The distinction between controllers and processors
- The designations of controller[1] and processor[2] in data protection law are crucial. The central question for any processing of personal data is the impact of the processing on the individual and whether that impact can be justified on the basis of a number of criteria including in the public interest, the commercial interests of the organisation undertaking the processing, or the interests of third parties whose rights are also affected by the processing.[3] In data protection law this central determination is generally made by the controller. [4] The processor, by contrast, simply acts on the controllers’ instructions and has no interest in the data itself.[5] Once the contract between the controller and the processor has run its course the processor must return the personal data to the controller or destroy the personal data processed on the controller’s behalf.[6]
- The controller and processor distinction is not simply a matter of choice. The parties must undertake a careful analysis of their roles in practice. [7] The designation of a party in a contract as a controller or a processor is therefore not determinative. Processors who overstep the mark and are perceived to be making choices about the use of the data may be deemed to be controllers.[8] Failure to correctly designate a controller as such represents a breach of the framework. It may also result in a loss of trust and consequent reputational damage, as well as liability under the UK GDPR’s administrative fines regime.[9]
Joint controllership
- Where a number of entities work together to process personal data such that the processing is linked, the courts have found that they operate as joint controllers.[10] This is expressed by the courts as entities taking “common decision[s]” or “converging decisions”. [11] Where there are converging decisions these must “complement each other in such a manner that they each have a tangible impact on the determination of the purposes and means of the processing”.[12] The courts have found that entities were joint controllers where one organisation makes decisions about how personal data is used by developing guidelines or protocols for other organisations to follow.[13]Joint controllership has been established even where a party has no access to the personal data concerned.[14] However, a finding of joint controllership does not mean that all the parties bear the same responsibility for the processing. Instead, the level of responsibility must be assessed in light of all the relevant circumstances of the particular case. [15]
The processor designation – judgments of the courts
- The courts have interpreted the concepts of controller and processor under data protection law in such a way as to ensure that individuals’ fundamental rights are properly protected.[16]An early example is the case of Google Spain.[17] The question before the Court of Justice of the European Union (“CJEU”) was whether a search engine was a controller or a processor. Google argued that it was just a processor: it had no knowledge of the data, and therefore did not exercise control over the data.[18]
- The CJEU disagreed with Google’s arguments and found that Google was a controller of personal data. The CJEU reasoned that the activity of search engines played a “decisive role” in the “dissemination of the data” which would not otherwise have been possible without those tools. [19] The way in which the search engine made the relevant personal data available was ‘liable to affect significantly…the fundamental rights to privacy and the protection of personal data”.[20] In other words the search engine was a controller because of the significant effect which the technology had on the rights of individuals. The CJEU stated that a broad definition of the concept of a controller was consistent with the object of data protection rules which were to “ensure, through a broad definition of the concept of ‘controller’, effective and complete protection of data subjects”.[21]
- More recent cases have expressed the concept of the controller as the entity which “exerts influence” over the processing for its own purposes, such that that entity is participating in decisions about the means and the purposes of the processing. [22]
- The case law suggests that a court may find that where the tools used to process individuals’ personal data have a profound effect on fundamental rights, a court may designate the entity that makes that tool available as a controller in order to protect the rights of data subjects. This line of reasoning has the potential to diminish the ability of providers of new technologies to claim that they are processors where the effect of that technology on individuals is profound.
The role of controllers and processors – the view of the Information Commissioner’s Office (“ICO”)
- The ICO (the UK’s data protection regulator) considered the controller/processor issue in the course of consulting on guidance on controllership in generative AI models. The ICO found that there was a risk that organisations deploying closed access AI models did not have meaningful control and influence over the processing. In those circumstances the ICO found that it was likely that the developer and deployer were joint controllers of the personal data processed within the models. [23] In taking this position the ICO rejected the argument from both trade membership bodies and the technology sector that developers would be processors at the deployment stage. It is likely that the ICO would take the same view in relation to other forms of new technologies.
The way forward
- Those developing new technologies or partnering with others to deliver innovations should carefully consider the level of influence they have over the way in which personal data is processed. It may be preferrable from a legal and reputational risk perspective to accept the position of being a joint controller. Being a controller of personal data should not be a bar to innovation. Rather, it simply involves a process of considering the impact of the new technology on people’s rights and whether it is proportionate and justifiable. This process is often not as difficult as might first be thought. Data protection law concerns issues which are relatively easily understood such as the question of whether the processing is fair and transparent and whether people’s rights and interests have been properly considered. Organisations which demonstrate that their processing meets these requirements are likely to find that their careful work gives them a commercial advantage. It will also help to build a brand that consumers and business customers trust.
[1] Under the UK GDPR a controller is defined in Article 4(7) as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. The ICO explains the concept of a controller as follows “Controllers make decisions about processing activities. They exercise overall control of the personal data being processed and are ultimately in charge of and responsible for the processing.” See here.
[2] Under the UK GDPR a processor is defined in Article 4(8) as “A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” The ICO explains the concept of a processor as follows “Processors act on behalf of the relevant controller and under their authority. In doing so, they serve the controller’s interests rather than their own.” See here.
[3] In the case of RTM v Bonne Terre Ltd & Hestview Ltd [2025] EWHC 111 (KB) Mrs Justice Collins-Rice explains this aspect as a balance between “the freedom and flourishing of public life and modern business and trade… and, on the other hand, the rights of individuals to privacy, ultimately derived from Art. 8 ECHR”.
[4] For example, the main data protection principles (fairness, lawfulness (including proportionality), accuracy, accountability etc) are the responsibility of the controller. See Article 5 of the UK GDPR. Exceptions to this exist in Chapter V relating to international data transfers where the processor is also responsible for risk-assessing the transfer. See Article 46 (1A) of the UK GDPR, in particular the requirement that the processor considers that the data protection test is met (ie that the standard of protection of personal data in the third country etc.is not materially lower than in the UK). This will require the processor to consider the standard of protection for the data subject. In other areas of the UK GDPR this sort of consideration falls on the controller rather than the processor.
[5] This is expressed in the EDPB’s Guidance on controllers and processors as follows “You do not pursue your own purpose in the processing other than your own business interest to provide services.” (see p.50).
[6] See Article 28(3)(g) of the UK GDPR.
[7] See the EDPB’s guidance at para 12. See also the ICO’s guidance which states “It is important to remember that an organisation is not by its nature either a controller or a processor. Instead you need to consider the personal data and the processing activity that is taking place, and consider who is determining the purposes and the manner of that specific processing.” This means that an entity can be a controller for some purposes and a processor for others, although this can lead to operational complexity and the risk of data subject rights and protections falling through the gaps.
[8] See Article 28(10) of the UK GDPR. The processor is able to determine non-essential means of the processing and still fall within the processor designation. For example, the controller may stipulate the technical and organisational security measures that are required but leave it to the processor to determine the specific software to be used. See the EDPB’s guidance on controllers and processors and the example of the call centre on p.16.
[9] Infringements of Article 28 UK GDPR could result in a fine of up to 2% of annual worldwide turnover or an administrative fine of up to £8,700,000 (whichever is the higher).
[10] See Case C‑604/22, IAB Europe v Gegevensbeschermingsautoriteit, EU:C:2024:214 at para 59. Guidance from the EDPB states: “An important criterion is that the processing would not be possible without both parties’ participation in the sense that the processing by each party is inseparable, i.e. inextricably linked.”
[11] Ibid, see para 59.
[12] Ibid, see para 59,
[13] Ibid, see paras 21 - 22 and paras 61 – 77.
[14] Ibid, see para 59.
[15] See Case C‑604/22, IAB Europe v Gegevensbeschermingsautoriteit, EU:C:2024:214 at [580.59].
[16] See for example Case C-40-17 Fashion ID [2019] ECLI:EU:C:2019:629, paras 65-67 and Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388, para 28.
Dewitte, P. (2025). AI meets the GDPR: Navigating the impact of data protection on AI systems in The Cambridge Handbook of the Law, Ethics and Policy of Artificial Intelligence (pp. 133–150). Cambridge University Press. https://doi.org/10.1017/9781009367783.010 (doi.org in Bing) and Millard, C. (2020) At this rate, everyone will be a [joint] controller of personal data! International Data Privacy Law, 9(4).
[17] Case C-131/12 Google Spain [2014] ECLI:EU:C:2014:317.
[18] Ibid, see para 22.
[19] Ibid, see para 36.
[20] Ibid, see para 38.
[21] Ibid, see para 38.
[22] See for example Case C‑492/23 X v Russmedia Digital SRL and Inform Media Press SRL, EU:C:2025:935 at para 58, citing that judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras, C‑683/21, EU:C:2023:949 at para 30.
Subscribe to receive more articles like this here.

