A data controller decides how and why personal data or sensitive personal data should be used. Data controllers are normally organisations like companies, partnerships, charities and so on although individuals, for example self-employed consultants, can also be data controllers.
A data processor acts on the data controller’s behalf to process and use the data. Again, a data processor can be any type or organisation or even an individual.
For example, if a company collects personal data from customers to compile a customer list, the company will be a data controller. If the company then passes the customer list to a marketing agency and instructs the latter to prepare an advertising mailshot, the marketing agency will be a data processor.
As a controller you oversee and are responsible for the processing of person data; you have overall control of the personal data that is being processed. Processors, on the other hand, act under the controller's authority and serve the controllers interest rather than their own. Accordingly, controllers are responsible for complying with the UK GDPR while processors have more limited compliance responsibilities, such as only processing data in line with the controller’s instructions, unless required by law to do otherwise.
