Both data controllers and data processors have obligations under the GDPR but these differ so it is important to establish the difference. A data controller is someone who holds personal data and “controls” how they use it – they decide how long to hold it, how to use it, where to send it, when to delete it etc.

A data processor acts on behalf of a data controller. It takes the data from a controller and “processes” it under the controller’s instructions. The processor doesn’t have any right to use that data for any other reason.