How does GDPR define a “data controller” and “data processor”?

The GDPR establishes two distinct roles for organizations handling personal data. A data controller is the entity that determines the purposes and means of processing personal data-essentially, the organization that decides why and how data will be used. If you're a business collecting email addresses for your own marketing campaigns, you are the data controller. You make decisions about what data to collect, how to use it, who can access it, and how long to retain it. Controllers bear primary responsibility for GDPR compliance and are directly accountable to data subjects and supervisory authorities.

A data processor, by contrast, is an entity that processes personal data on behalf of and under the instruction of a controller. Your email service provider (ESP), for example, is typically a data processor. They usend emails containing personal data according to your instructions, but they don't independently decide how to use your subscriber list. Processors have their own compliance obligations under GDPR, including implementing appropriate security measures and assisting controllers with data subject requests, but their scope of responsibility is more limited since they act under the controller's direction.

In practice, the lines can blur. Some organizations act as both controller and processor depending on the context-your ESP might be a processor for your campaigns but a controller for their own marketing to you. Additionally, joint controller arrangements exist when two or more entities together determine the purposes and means of processing. For email marketers, understanding these distinctions is critical because they determine your compliance obligations, contractual requirements (like Data Processing Agreements), and potential liability. Know your role in every data relationship, because GDPR obligations follow accordingly.