Data Processor vs Data Controller

Data processor and data controller are legal roles defined by GDPR and similar privacy frameworks, distinguishing between the entity that determines the purposes and means of data processing (controller) and the entity that processes data on the controller's behalf (processor).

Definition

Under GDPR Article 4, a data controller is the natural or legal person, public authority, agency, or other body that determines the purposes and means of processing personal data. A data processor is a natural or legal person that processes personal data on behalf of the controller. The distinction is fundamental to European data protection law: it determines who bears primary responsibility for compliance, who must respond to data subject requests, who must conduct data protection impact assessments, and who faces regulatory penalties.

The boundary between controller and processor is functional, not contractual. An organization that exercises independent judgment about what data to collect and how to use it is a controller, regardless of what its agreements state. A cloud provider that stores data according to a customer’s instructions is a processor. An AI model provider that uses customer prompts for training has arguably crossed from processor to controller—a classification with significant legal consequences.

Why It Matters

The European Data Protection Board’s 2024 enforcement statistics reveal that 73% of GDPR fines exceeding EUR 1 million were imposed on data controllers, reflecting their elevated accountability. However, processor liability is not trivial: GDPR Article 83 allows supervisory authorities to fine processors directly for violations of their specific obligations, including failure to implement adequate security measures and unauthorized processing beyond the controller’s instructions.

A 2024 IAPP survey found that 82% of organizations operating in the EU had executed or updated Data Processing Agreements (DPAs) within the preceding 12 months. Each DPA defines processing purposes, data categories, security obligations, sub-processor approvals, breach notification timelines, and deletion requirements upon termination.

For AI-powered services, the controller-processor distinction is acutely contested. When a user sends a prompt to an AI provider, is the provider a processor (acting on the user’s instructions) or a controller (determining how the prompt is processed, stored, and potentially used for training)? The answer determines the legal basis for processing, the scope of data subject rights, and the allocation of liability.

How It Works

The controller-processor framework operates through legal, technical, and contractual mechanisms:

Role determination: The entity that decides why and how data is processed is the controller. The entity that executes processing instructions is the processor. Joint controllership arises when two or more entities jointly determine purposes and means.
Data Processing Agreements: GDPR Article 28 requires a binding contract specifying subject matter, duration, nature and purpose of processing, data categories, and the controller’s rights.
Sub-processor chains: Processors may not engage sub-processors without prior authorization from the controller. Sub-processors must be bound by equivalent data protection obligations, creating cascading contractual chains through dozens of vendors.
Breach notification flow: Processors must notify the controller without undue delay after discovering a breach. The controller notifies the supervisory authority (within 72 hours) and affected individuals.
Data return and deletion: Upon contract termination, the processor must return or delete all personal data. The right to erasure obligations flow from controller to processor through the DPA.

Stealth Cloud Relevance

Stealth Cloud collapses the controller-processor distinction by eliminating the data that gives rise to it. In a conventional AI service architecture, the user’s organization is the controller, the AI platform is the processor, and the LLM provider is a sub-processor. Each layer requires a DPA. Each layer introduces breach risk. Each layer adds compliance overhead.

Stealth Cloud’s PII stripping engine removes personal data client-side before it enters any processing pipeline. The Cloudflare Worker that handles encrypted payloads processes data that contains no PII—it is not a data processor in the GDPR sense because it does not process personal data. The LLM provider receives tokenized prompts containing no identifiable information—the sub-processor chain for personal data is severed at the client boundary.

This is not a legal technicality. It is an architectural design that eliminates entire categories of regulatory obligation. No DPA is required for processing that does not involve personal data. No DPIA is triggered when no high-risk processing of personal data occurs. No right to erasure request applies when no personal data is held. The zero-knowledge architecture transforms data protection from a contractual exercise into an engineering outcome.

The Stealth Cloud Perspective

The controller-processor framework governs who is responsible for personal data. Stealth Cloud renders the framework inapplicable by ensuring no personal data enters the processing chain. When the architecture strips PII before transmission and shreds keys after processing, there is no personal data to control, no personal data to process, and no liability to allocate.