A controller refers to the entity that determines the “purposes and means” of how personal data will be processed. [1] Determining the “means” of processing refers to deciding “how” information will be processed.[2] That does not mean, however, that a controller must make every decision with respect to the processing of information.

The European


The European GDPR does not use the term “service provider” and, instead, refers to “processors.” While processors within the GDPR are defined in a similar manner to service providers under the CCPA, the GDPR is far more proscriptive regarding the contractual terms that must be present in a processor agreement. Specifically, the GDPR requires