- Controller: decides why and how personal data is processed — bears primary GDPR responsibility
- Processor: processes data on behalf of a controller, under documented instructions
- You can be both controller and processor for different datasets simultaneously
- Controllers must have written Data Processing Agreements with all processors
The distinction between controller and processor is one of the most fundamental concepts in GDPR — and one of the most frequently misapplied. Getting it wrong means either over-accepting obligations you do not have, or under-recognising obligations you do. Both create compliance gaps.
Related HubSecure buying path
Alternatives & Comparisons guideGoogle Workspace alternativeHubSecure modulescomparison libraryworkspace alternativesGuide Librarybook a workflow demo
Best fit and not best fit
| Best for | Not best for |
|---|---|
| Regulated teams that need client records, secure files, workflow ownership, RBAC and audit history together. | Teams that only need a single-purpose tool and do not need governed client operations or compliance evidence. |
Related security, privacy and governance resources
Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.
Related use case
This guide belongs to the Workspace Alternatives and Tool Consolidation Guides cluster. Continue with the product hub for workspace alternatives and tool consolidation.
The data controller
A data controller is the entity that determines the purposes and means of processing personal data. In plain language: you decide why you collect data and how it is processed. The decision-making authority over the data is yours.
Most businesses that hold client data are controllers for that data. A law firm holding client KYC files is a controller. An accounting firm processing client financial information is a controller. The key question is: who decided to collect this data and for what purpose?
The data processor
A data processor is an entity that processes personal data on behalf of a controller, under the controller's instructions. The processor does not decide why the data is collected or how it is used — it simply carries out defined processing tasks as directed.
Cloud service providers, payroll bureaus, IT managed services firms, and SaaS platforms (including HubSecure, when used to process client data) are processors. They process data that controllers have decided to hold, under contracts that define what they can and cannot do with it.
The key differences
Controller responsibilities
- Determine lawful basis for processing
- Publish a privacy notice to data subjects
- Maintain a Record of Processing Activities
- Respond to data subject rights requests
- Report data breaches to supervisory authority within 72 hours
- Conduct DPIAs for high-risk processing
- Appoint a DPO if required
- Enter DPAs with all processors
Processor responsibilities
- Process data only on documented controller instructions
- Maintain records of processing categories
- Implement appropriate security measures
- Notify controller of data breaches without undue delay
- Not engage sub-processors without controller authorisation
- Delete or return data at end of service
- Assist controller with subject rights requests
- Make compliance information available to controller
Joint controllers
Two or more organisations can be joint controllers when they jointly determine the purposes and means of processing. This is common in business partnerships, group companies sharing HR data, or platforms and their commercial partners co-deciding how user data is used. Joint controllers must have a transparent arrangement setting out their respective responsibilities — and data subjects must be informed of the essence of that arrangement.
Data Processing Agreements (DPAs)
When a controller engages a processor, a written Data Processing Agreement is mandatory under Article 28. The DPA must specify:
- Subject matter, duration, nature, and purpose of the processing
- The type of personal data and categories of data subjects
- Obligations and rights of the controller
- That the processor only acts on documented instructions
- Confidentiality obligations on processor staff
- Security measures required
- Sub-processing rules
- Assistance obligations for audits and rights requests
- Deletion/return of data at end of service
Is a SaaS platform always a processor?
Usually, yes. If you use a SaaS platform to store or process client data, the platform provider is typically a processor acting on your instructions. The platform decides the technical infrastructure; you decided to hold that client data in the first place.
Can a processor become a controller?
Yes — if a processor begins making decisions about the data independently (e.g., using client data for their own analytics or marketing without controller instruction), they become a controller for that additional processing. This is a breach of the DPA and creates independent GDPR liability.
HubSecure processes your client data as your processor
Our DPA covers all data processed through the HubSecure platform. Singapore-hosted infrastructure, documented instructions, and full audit trails — ready for your compliance team to review.
View our DPAReviewed for regulated teams
Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.