When a company hires a payroll management firm, uses cloud-based HR software, or outsources its customer service, the personal data of its employees and clients leave its systems to be processed by a third party. Regulation (EU) 2016/679 (GDPR — General Data Protection Regulation) has a specific mechanism to govern that relationship: the data processing agreement set out in article 28. But before signing such a contract — or requiring one from a supplier — it is essential to be clear about who is the data controller and who is the data processor. Confusion between the two is one of the most common mistakes in GDPR compliance and can lead to consequences under the sanctioning framework of article 83.
At Summum Consultoría we help organisations in Castilla y León and the Canary Islands with their GDPR compliance, including identifying processors, drafting art. 28 contracts, and managing sub-processors. This article summarises what you need to know about both roles with full regulatory rigour.
What is a data controller?
Article 4.7 of the GDPR defines the data controller as "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data". The key word is determines: the controller is the party that decides why data are processed (the purpose) and how they are processed (the essential means). It is not necessary for the controller to process the data directly; what matters is who makes those decisions.
Common examples of a data controller:
- A company that collects customer data to manage orders and invoicing.
- A school that processes pupil and family data for academic administration.
- A clinic that maintains medical records for its patients.
- A self-employed professional who uses a CRM to manage their commercial contact portfolio.
The controller is the party that must comply with the principles set out in article 5 of the GDPR (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality), that must respond to data subject rights requests (access, rectification, erasure, portability, restriction, objection), and that is accountable to the AEPD (Agencia Española de Protección de Datos — Spanish Data Protection Authority) in the event of non-compliance.
What is a data processor?
Article 4.8 of the GDPR defines the data processor as "the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller". The essential difference from the controller is that the processor does not determine the purposes or the essential means of the processing: it acts on the instructions of the controller.
Common examples of a data processor:
- A payroll or tax management firm that processes employee data to prepare payslips on behalf of its client company.
- A hosting or cloud infrastructure provider that hosts the servers where the controller stores its databases.
- An HR software solution in SaaS (Software as a Service) mode that stores and processes employee data.
- A courier company that receives recipients' data to deliver parcels on behalf of an e-commerce retailer.
- A call centre that handles customer calls using the controller's information.
The processor may take decisions on the technical or organisational means of processing (which server to use, which encryption system to apply), but it cannot change the purpose or the essential means without an express instruction from the controller. If it does so, it is deemed to be a data controller in its own right, with all the resulting liability implications.
Key differences between controller and processor
The following table summarises the main differences between the two roles under the GDPR:
| Criterion | Data controller | Data processor |
|---|---|---|
| Definition (GDPR art. 4) | Art. 4.7: determines the purposes and means of processing | Art. 4.8: processes data on behalf of the controller |
| Decision on purpose | Yes, it determines it | No; it follows the controller's instructions |
| Legal basis | Must identify and document it (art. 6 GDPR) | No independent legal basis required; acts under mandate |
| Record of processing activities | Mandatory (art. 30.1 GDPR) | Mandatory (art. 30.2 GDPR), with different content |
| Mandatory contract | Must require it from the processor (art. 28.3 GDPR) | Must sign it with the controller and, where applicable, with sub-processors |
| Liability to data subjects | Direct (art. 82.2 GDPR) | Joint and several if it fails to fulfil its obligations (art. 82.2 GDPR) |
| Breach notification | Notifies the AEPD within 72 hours (art. 33 GDPR) | Notifies the controller without undue delay (art. 33.2 GDPR) |
The data processing agreement: art. 28 of the GDPR
Article 28 of the GDPR provides that the data controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures, and that processing by a processor shall be governed by a contract or other legal act binding the processor to the controller.
This contract — known in practice as a "DPA" (Data Processing Agreement) — is not simply an annex to a commercial contract: it is an independent compliance requirement whose absence constitutes an infringement of the GDPR. The AEPD verifies the existence and content of these contracts in its inspection activities.
Mandatory content of the contract (art. 28.3 GDPR)
Article 28.3 of the GDPR sets out in detail the clauses that the data processing agreement must include. All of them are mandatory; omitting any one does not render the contract void, but may give rise to a separate infringement. The contract must stipulate that the processor:
- Processes personal data only on documented instructions from the controller, including with regard to international transfers (unless required to do so by EU or Member State law, in which case the processor shall inform the controller).
- Ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Takes all security measures required pursuant to article 32 of the GDPR.
- Respects the conditions for engaging another processor (sub-processors), in accordance with article 28, paragraphs 2 and 4.
- Taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, to fulfil the controller's obligation to respond to requests for exercising data subjects' rights.
- Assists the controller in ensuring compliance with the obligations relating to security, breach notification, data protection impact assessments and prior consultations with the authority (arts. 32 to 36 GDPR).
- At the choice of the controller, deletes or returns all personal data to the controller after the end of the provision of processing services, and deletes existing copies, unless EU or Member State law requires storage of the data.
- Makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in article 28, and allows for and contributes to audits and inspections conducted by the controller or an auditor mandated by the controller.
In addition to the minimum content of art. 28.3, the contract must describe the subject matter, duration, nature and purpose of the processing, the type of personal data involved and the categories of data subjects, as well as the obligations and rights of the controller. Without these descriptive elements, the contract does not fulfil its regulatory function and cannot be verified by the AEPD.
Sub-processors: art. 28.2 and 28.4 of the GDPR
In many cases, the data processor itself needs to subcontract part of the processing to a third party. The GDPR permits this, but subject to strict conditions governed by article 28.2 and 28.4.
The processor shall not engage a sub-processor without prior specific or general written authorisation from the controller. That authorisation may be:
- Specific: the controller approves each particular sub-processor on a case-by-case basis.
- General in writing: the controller grants prior general written authorisation for the processor to engage sub-processors, but the processor must inform the controller of any intended changes (additions or replacements), thereby giving the controller the opportunity to object. This is the most common arrangement in contracts with SaaS and cloud providers.
When the processor engages a sub-processor, it must impose on that sub-processor the same data protection obligations as those set out in the contract with the controller (art. 28.4 GDPR). If the sub-processor fails to fulfil its obligations, the original processor remains fully liable to the controller for that failure. This means the chain of liability extends downward: the processor cannot evade its responsibility by arguing that it was the sub-processor that was at fault.
In practice, major cloud providers (AWS, Google Cloud, Microsoft Azure) publish their lists of sub-processors and periodically update their DPA with their clients. Verifying that those lists are accessible and that a real mechanism for objection exists is part of the due diligence process that Summum Consultoría carries out when supporting organisations with their GDPR compliance.
Practical examples: who is a processor and what the contract requires
The payroll or tax management firm
A company engages a management firm to prepare its employees' payslips and file quarterly income tax and VAT returns. The firm accesses personal data of the workers (name, social security number, salary, family situation) and of clients and suppliers. In this arrangement:
- The company is the data controller: it decides what data are processed and for what purpose.
- The management firm is the data processor: it processes the data following the company's instructions, solely to prepare payslips and manage taxes.
The processing agreement must specify precisely what processing activities the firm carries out, how long it will retain the data, what security measures it applies, and what it will do with the data when the relationship ends. Without this contract, both the company and the management firm are in breach of article 28 of the GDPR.
The hosting or cloud infrastructure provider
A company that hosts its website, CRM, or email on a hosting provider's servers is granting technical access to personal data of its clients and employees. The hosting provider is a data processor, even if in most cases it does not actively access the data: technical capability to do so is sufficient. The obligation to sign a data processing agreement exists regardless of whether the provider is a local company or a global technology giant.
Many hosting providers already include a DPA section in their general terms and conditions, or offer it as a separate document. It is the responsibility of the data controller to verify that the DPA actually complies with article 28.3 of the GDPR and not merely with the minimum requirements of the provider's own jurisdiction.
HR, CRM or ERP software in SaaS mode
The rise of software as a service has multiplied the number of data processors that companies work with. An HR management system that stores employee data, a CRM that holds client information, or an ERP that integrates accounting and personal data are all, in every case, data processors. The company that subscribes to them is the controller.
In this context, it is common for SaaS providers to use multiple sub-processors in turn (cloud infrastructure providers, analytics services, support platforms). The controller must verify that the SaaS provider has mechanisms to control its sub-processors and that the DPA allows it to exercise that control in a real, not merely formal, way.
What happens if no data processing agreement exists?
The absence of a data processing agreement where one is mandatory constitutes an infringement of article 28 of the GDPR. The sanctioning regime under article 83 of the GDPR classifies this infringement in the group under paragraph 83.4, which provides for fines of up to EUR 10,000,000 or 2% of total worldwide annual turnover, whichever is higher. The LOPDGDD (Ley Orgánica 3/2018, de 5 de diciembre — Organic Law on Data Protection and Guarantee of Digital Rights) supplements this regime in the Spanish legal order.
In addition to the financial penalty, the absence of a contract may give rise to civil liability towards the data subjects concerned. Article 82 of the GDPR grants data subjects the right to receive compensation for material or non-material damage suffered as a result of an infringement of the Regulation. If a data processor processes data without a valid contract and a breach occurs, the controller and the processor may be jointly and severally liable to the data subjects.
From a practical standpoint, the absence of a data processing agreement also makes it harder to demonstrate compliance with the accountability principle before the AEPD. When the AEPD conducts an inspection or investigates a breach, one of the first documents it requests is the inventory of processors and the corresponding art. 28 contracts. Not having them is a sign of lack of diligence that can aggravate the assessment of the main infringement.
Frequently asked questions
Can a data processor become a data controller?
Yes. Article 28.10 of the GDPR expressly provides that, if the processor infringes the Regulation by determining the purposes and means of the processing, it shall be considered a data controller in respect of that specific processing operation. This occurs when the processor goes beyond the instructions received and uses the data for its own purposes (for example, a software provider that analyses the controller's client data to improve its own models without authorisation). Becoming a controller entails assuming all obligations from article 5 onwards, including direct sanctioning liability.
Is a clause in the commercial contract sufficient, or is a separate document required?
The GDPR refers to "a contract or other legal act" (art. 28.3), so it does not formally require a separate document: the DPA may be a clause, an annex or an appendix to the main commercial contract. In practice, however, it is recommended that the content of article 28.3 be contained in a document clearly identified as a "data processing agreement" or "DPA", because it facilitates auditing, updating when the terms of the processing change, and demonstration of compliance before the AEPD. What is essential is that the content be complete and signed by both parties.
What about processors located outside the European Union?
If the data processor is located outside the European Economic Area (EEA), in addition to the art. 28 contract it is necessary to establish an adequate safeguard for the international transfer of data in accordance with Chapter V of the GDPR (arts. 44 to 49). The most common safeguards are the standard contractual clauses (SCCs) adopted by the European Commission or the existence of an adequacy decision for the destination country. Without such a safeguard, the transfer of data to the processor is unlawful regardless of whether a data processing agreement exists.
How often should the data processing agreement be reviewed?
The GDPR does not set a mandatory review period, but the accountability principle requires the contract to reflect the reality of the processing. Reviews should take place when the services provided by the processor change, when the processor brings on new relevant sub-processors, when regulatory changes affect the mandatory content of the contract (for example, the adoption of new standard contractual clauses by the European Commission), or following a security breach that has revealed deficiencies in the agreed security measures. As a recommended practice, an annual review of the processor inventory and associated contracts allows GDPR compliance to be maintained on a sustained basis.