Controller vs processor: who actually owes you answers?

The controller decides why and how; the processor just executes. Your rights run against the controller — and “we’re only the processor” is a dodge with a built-in counter.

Two roles, one liability chain. The controller (Art. 4(7)) decides the purposes and means — the shop, the employer, the app operator. The processor (Art. 4(8)) handles data on the controller’s instructions — the cloud host, the mail-tool, the payroll bureau — bound by a data-processing agreement (Art. 28). Where your rights land: on the controller. Send your access or erasure request to the organisation you dealt with; routing it to their hosting provider goes nowhere. The dodge and the counter: companies duck requests with “we only process for a partner”. Art. 12 and 26 oblige them to identify the controller to you — reply: “Then name the controller, as the GDPR requires, and forward my request.” Silence after that is a clean DPA complaint. Joint controllers (Art. 26 — think platform + page operator, per the CJEU’s Fashion ID line): you may exercise rights against either; their internal arrangement is not your problem. For damages (Art. 82), controller and processor can both be on the hook — you claim against whichever is easiest to reach, they sort recovery among themselves.

Verified against the sources above on 18 July 2026. Information, not legal advice.

← Privacy explained📞 Your data protection authority