Skip to content

The term controller refers to the entity that determines the “purposes and means” of how personal data will be processed.1 Determining the “means” of processing refers to deciding “how” information will be processed.2 That does not mean, however, that a controller will make every decision with respect to the processing of information.

The European Data Protection Board (EDPB) distinguishes between “essential means” and “non-essential means.”3 Essential means refers to those processing decisions that are closely linked to the purpose and the scope of processing and, therefore, considered by the EDPB to be “traditionally and inherently reserved to the controller.”4 In other words, these are decisions regarding how personal data will be processed that a controller should not delegate to a third party. The EDPB has taken the position that one of the essential means of processing is “the type of personal data” that will be processed.5 As a result, normally a processor should not determine the type of personal data that will be processed, and a processor that engages in such activity may be labeled as a controller by supervisory authorities.


1 GDPR, Article 4(7).

2 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 33.

3 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

4 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

5 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.