TL;DR

A data controller decides the purposes and means of processing personal data. A data processor processes personal data on the controller's behalf and under their instructions. The distinction determines who holds primary GDPR accountability, who must sign a Data Processing Agreement with whom, and who is liable to regulators and data subjects when things go wrong.

What Data Controller vs Data Processor Means in Practice

The controller-processor distinction is not about who handles data most - it is about who decides why. A company that tells its HR software vendor to collect candidate CVs and store them for 6 months is the controller: it decided the purpose (recruitment) and the means (that vendor, that retention period). The vendor processes data on the company's instructions without deciding why that data is collected. The vendor is the processor.

The determination is not always clean. GDPR Recital 79 and Article 26 recognize joint controllers - two or more parties who jointly determine the purposes and means of processing. A staffing agency that recruits on behalf of a client but also maintains its own candidate database, makes independent decisions about which candidates to present, and retains data for its own future placements is not a pure processor. It is a controller in its own right for those processing activities, and potentially a joint controller with its client for the shared recruitment process.

In a typical recruitment technology stack, the roles layer as follows. The employer or staffing agency is the controller. The ATS vendor is a processor. The ATS vendor's cloud infrastructure provider (AWS, Azure, GCP) is a sub-processor. A background check company instructed by the agency is a processor (or a separate controller if it determines its own purposes). A job board that receives candidate data to display listings may be an independent controller for its own processing.

The practical consequence of the determination is the Data Processing Agreement obligation. GDPR Article 28(3) requires a written contract between controller and processor covering the specific mandatory clauses. Between two joint controllers, GDPR Article 26(1) requires an arrangement that reflects their respective responsibilities and is transparent to data subjects.

Why the Controller/Processor Distinction Matters for Recruitment Teams

Controllers bear primary liability for GDPR compliance. Article 5(2)'s accountability principle falls on the controller. The controller must establish the lawful basis for processing, draft privacy notices, respond to subject access requests, conduct DPIAs (Data Protection Impact Assessments) for high-risk processing, and report breaches to supervisory authorities. Processors have narrower obligations - they must act only on controller instructions, maintain records of processing, implement appropriate security measures, and assist the controller with its obligations.

For staffing agencies, mis-identifying their role has direct financial consequences. An agency that treats itself as a pure processor when it is actually a controller will fail to register with the ICO (required for controllers in the UK, free but mandatory), fail to maintain Article 30 records of processing activities, and fail to appoint a DPO if required. Each is a separate violation. The ICO can fine controllers up to £17.5 million or 4% of global annual turnover under UK GDPR.

ATS and HR software vendors routinely mis-scope their processor role in DPAs. A vendor that uses client data for product improvement, analytics, or model training is processing that data for its own purposes - making it a controller or joint controller for that processing, not a pure processor. Clients who sign DPAs without scrutinizing this issue may later discover their candidate data is being used to train algorithms they did not authorize.

Controller vs Processor in Action

A mid-size staffing agency uses Candidately - an AI [recruitment platform](/glossary/recruitment-platform) built on Bullhorn's ATS - to manage its candidate database. The agency is the data controller: it decides what data to collect from candidates, how long to retain it, and which clients to share it with. Candidately is the data processor: it stores and processes candidate data only as instructed by the agency. When the agency's enterprise client asks for a copy of its candidates' data, the request goes to the agency (the controller), not directly to Candidately. The agency-Candidately DPA specifies that Candidately will not use candidate data for its own purposes and will delete all data within 30 days of contract termination.

Compliance Checklist