AIGP Exam Concept

Roles and Responsibilities

What is the difference between a data controller and a data processor?

Understanding which entity controls processing and which executes it is foundational to GDPR compliance and a core concept in AIGP exam preparation.

Why this matters for the AIGP exam

The controller-processor distinction determines who bears primary legal responsibility under GDPR. Controllers determine the purposes and means of processing. Processors act on their behalf under documented instructions. Getting this wrong in a scenario question leads candidates toward incorrect legal obligations, wrong notification timelines, and incorrect allocation of accountability.

AIGP exam questions involving this concept often present a fact pattern describing a service relationship and ask you to identify the correct role. The trap is that the labels in a contract do not determine the legal role. What determines it is the substance of who decides why and how data is processed.

The defining question: who decides purpose and means?

A data controller is any natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

A data processor processes personal data on behalf of the controller. The processor follows the controller's instructions. It does not determine why the data is processed or the essential elements of how it is processed.

The key test is decision-making authority. If an entity can decide whether to collect data, what to do with it, how long to keep it, or whether to share it with others, it is acting as a controller for those decisions. If it executes those decisions according to someone else's instructions, it is acting as a processor.

Scenario example

A retail company hires an email marketing platform to send promotional emails to its customers. The retail company determines which customers to contact, what the emails say, and when to send them. The marketing platform executes the send instructions using its infrastructure.

In this scenario: the retail company is the controller. The marketing platform is the processor. The marketing platform must process the data only according to the retailer's documented instructions, must not use the data for its own marketing purposes, and must return or delete data on request.

If the marketing platform were to use the customer list to build its own analytics product without the retailer's instruction, it would be acting as a controller for that use, potentially without a valid legal basis.

Common confusion and exam trap

The most common trap on AIGP questions about this concept is the contractual label problem. A contract may refer to a party as a "data processor," but if that party independently determines how long to retain data, decides which security measures to apply based on its own risk assessment, or processes data for its own purposes alongside the controller's, it is functioning as a controller for those decisions.

A second trap is joint controllership. When two organizations together determine the purposes and means of processing, they are joint controllers. This requires a joint controllership arrangement under Article 26 GDPR and brings shared accountability obligations. Joint controllership is not the same as a controller-processor relationship, and confusing them leads to incorrect answers about who must respond to data subject requests.

Key obligations that follow from the role

  • Controllers must have a valid legal basis for processing and must be able to demonstrate it.
  • Controllers must respond to data subject rights requests directly.
  • Controllers must conduct DPIAs for high-risk processing activities.
  • Processors must process only according to documented controller instructions.
  • Processors must assist controllers in meeting data subject rights obligations.
  • Processors may not engage sub-processors without controller authorization.
  • Both controllers and processors must implement appropriate technical and organizational security measures.

Practice this concept in context

AIGP Decision Lab includes scenario questions on this topic with full rationale breakdowns. One time purchase. $39.99.

Join early access

Independent AIGP prep tool. Not affiliated with IAPP.