Controller vs processor
The GDPR assigns different duties to a controller — who determines the purposes and means of processing — and a processor, who processes personal data on the controller's behalf. Whether your analytics vendor is a processor or a joint controller changes the contracts and liabilities involved. This page explains the distinction and how it applies to analytics.
The two roles
A controller decides the why and how of processing — the purposes and the essential means. A processor processes personal data only on the controller's documented instructions. The GDPR defines both in Article 4, and Article 28 governs the controller-processor relationship, requiring a binding contract (a data processing agreement) with specific clauses.
Where two or more parties jointly determine purposes and means, they are joint controllers (Article 26) and must arrange their respective responsibilities transparently.
How analytics maps on
If a vendor processes data strictly on your instructions to deliver measurement to you, it is typically a processor and needs a DPA. If the vendor also uses the data for its own purposes — improving its own products or building its own profiles — it may be a controller or joint controller for that processing, which changes the legal arrangements and the disclosures you owe users.
- Controller: determines purposes and means
- Processor: acts only on documented instructions (needs a DPA)
- Joint controllers: jointly determine purposes and means
How it appears in analytics and logs
Misclassifying an analytics vendor — treating a joint controller as a mere processor — leaves the wrong contracts in place and can misallocate accountability.
Diagnostic use case
Classify each party in your analytics stack as controller, processor, or joint controller so the right agreements and responsibilities are in place.
What WebmasterID can help detect
Understanding these roles helps you place the correct agreements with any measurement vendor; WebmasterID's first-party model keeps the controller relationship straightforward.
Common mistakes
- Assuming every analytics vendor is just a processor.
- Relying on a contract label instead of who decides purposes.
- Skipping a DPA where a processor relationship exists.
Privacy and accuracy notes
This page is educational and not legal advice. Roles depend on who actually determines purposes and means in practice, not just on contract labels.
Related pages
- Data processing agreements and analytics vendors
When you use a third-party analytics provider, they typically act as a processor handling personal data on your behalf. GDPR Article 28 requires a written data processing agreement (DPA) setting out the subject matter, duration, instructions, confidentiality, security, sub-processing, and deletion terms. No DPA with a processor is itself a compliance gap. This is an educational overview, not legal advice.
- Lawful basis for analytics processing
The GDPR requires a lawful basis for processing personal data. For analytics the realistic candidates are consent and legitimate interests, each with conditions: consent must be valid and is often required where ePrivacy applies to cookies, while legitimate interests demands a balancing test and grants the visitor a right to object. Picking and documenting the basis is the operator's job. This is educational, not legal advice.
- Standard contractual clauses (SCCs)
Standard Contractual Clauses (SCCs) are model data-protection contract terms adopted by the European Commission that provide a lawful basis for transferring personal data outside the EEA to countries without an adequacy decision. They are commonly used when analytics data flows to vendors abroad. This page explains their role and the assessment that accompanies them.
- Privacy-first analytics
A first-party model with a clear controller relationship.
Sources and verification notes
- EUR-Lex — GDPR Article 4 and Article 28Definitions and the processor relationship.
- EDPB — Guidelines 07/2020 on controller and processor conceptsInterpretation of controller, processor, and joint controller.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.