GDPR is strict in how it defines entity types. And those entity types determine how entities must comply with GDPR and interact with end-users and their data.

GDPR defines two types of organizations:

1. Controller. This is an entity that engages directly with users and processes personal data of EU users.
2. Processor. This is an entity that processes personal data for a controller. This is inclusive of all the service and software companies that a Controller uses to carry out its services.

Under GDPR, Controllers are the owners of end-user data. When a Controller under GDPR works with a Processor, they extend obligations to the Processor through a data protection agreement. When a Processor works with another Processor, such as a cloud provider like Amazon, Google, or Microsoft, the Processor extends their own liability in a data protection agreement. Processors cannot use 3rd parties as Processors without the express consent of the Controller.

As you can imagine, there are millions of Controllers. Most Controllers work with many different 3rd party organizations as Processors. Processors, increasingly reliant on technology partners, have many partners. Because of this chain of liability from Controllers to Processors to more Processors, it can become messy.

Know the entity type of your organization and the key 3rd parties to which your organization extends liability

‍