News

GDPR Role Allocation: Controllers, Processors & Accountability in Practice

One of the most significant challenges in data protection is the allocation of roles - particularly the identification of the Controller - and the resulting uncertainty around responsibilities when processing personal data. This issue arises in many different contexts and takes various forms. For many organisations, unclear role allocation constitutes a central risk factor with implications across all aspects of data protection work where processing involves more than one party.

To clarify responsibilities and practical solutions, Pia Rosengren, Managing Director of Data Privacy, has written an article that aims to support organisations in establishing accountability, compliant contractual structures, and effective governance across complex processing arrangements.

Part 1: Who is Really the Controller of Personal Data?

Understanding roles as the foundation for accountability and compliant agreements

Back in 2018, countless Data Processing Agreements (DPAs) were (and maybe still are?) signed, not seldom with questionable conditions. Many organisations believed they needed a DPA for every situation involving personal data and therefore signed them on a purely routine basis. In reality, it all comes down to which part is in control of protecting the data or with more legal language; who is the one who determines purpose and means of the processing.

The misconception of “responsibility for the customer”

The foundation of data protection legislation is to safeguard our personal data in an increasingly insecure environment, and DPAs are not meant to be mere contractual formalities. Their core purpose is to ensure that the parties involved clearly understand who ultimately bears responsibility for protecting the data. The party that decides why and how the processing takes place is, by law, the Controller, and carries the legal responsibility for ensuring that appropriate measures are in place.

A common misconception is that you are the Controller simply because you are responsible for the customer or employee (the data subject). However, the GDPR is clear – responsibility follows the processing of personal data itself, not the underlying commercial or organisational relationship. 

You cannot choose role by contract

Many try to place the responsibility through DPAs, choosing to act as a Processor rather than a Controller or a Controller rather than a processor. But legally, the one who decides why and how personal data is processed always remains responsible – regardless of what the contract says.

Responsibility follows control, not contracts. Clarifying this from the start saves time, resources, and legal risk.

Part 2: Building a Sustainable Structure for Your Data Processing Agreements

Consistency, documentation, and control are the cornerstones of compliance

When an organisation manages dozens or even hundreds of DPAs, the workload can quickly become unmanageable. Each agreement requires oversight, review, and documentation. To stay efficient and compliant you need structure, standardisation, and clear routines.

Four pillars of an effective data protection framework

As a Data Controller, you should ensure that the organisation:

Documents clear instructions – specify requirements for Processors, set up reporting channels, and incident procedures etc.

Uses a unified DPA template – enables consistency and simplifies follow-up.

Maintains a central register – lists all processors and agreements for full visibility.

Implements regular monitoring routines – ensures ongoing compliance and accountability.

These measures support the GDPR’s accountability principle and help ensure compliance with Article 28 obligations.

Structure saves resources and mitigates risk

A structured process not only saves time and resources but also builds resilience. It helps avoid unnecessary administrative work, ensures that legal obligations are met, and supports confident decision-making when incidents occur. 

Structure and standardisation are not bureaucracy – they are protection.

Part 3: Being a Data Processor – A Responsibility of Its Own

Good governance reduces risk and builds stronger client relationships

Acting as a Processor does not entail less responsibility, but a different set of legally defined obligations. Processors have direct responsibilities under the GDPR and must therefore be able to demonstrate compliance with both the Data Controller’s instructions and applicable legal requirements.

What every Processor should have in place:

To meet all obligations, a Processor should:

Maintain a documented record of acceptable and non-acceptable contractual terms, with a clear escalation process for exceptions.

Maintain an updated register of all Controllers it acts on behalf of.

Conduct regular internal audits to verify compliance with Controller requirements.

Implement a robust process for reporting and managing data incidents swiftly.

The value of structure and clarity

Processors often serve multiple Controllers with varying demands and instructions. Having consistent internal routines ensures efficiency and reduces risk. It also demonstrates professionalism and strengthens trust, turning compliance from a burden into a competitive advantage. 