Are marketers data processors or controllers under GDPR?

25th May 2018 marked a new dawn on data security practices across Europe when the General Data Protection Regulation (GDPR) came into effect.

There has been a lot of discussion about who controls and accesses data and who is responsible for ensuring data compliance. However, there is still some uncertainty as to the role marketers – both agency and in-house – occupy in terms of data responsibility.

There are several resources out there that specifically detail the role of a data processor and a data controller, but these tools often expect the roles to be occupied by different individuals.

As a marketer, you’ll probably need to wear both hats. It’s important to understand that your role as a processor or controller will change, depending on each individual relationship. To bring this to life, here are some example situations:

The bank will be creating any number of
marketing assets, alongside their usual data
processing activities. It’s in control of who gets
what data.
External print company
When instructing a printer to print personalised
direct mailers, for example, the bank will be
handing over data to the printers. Therefore, they
are a data processor.
The bank also uses a marketing agency to
generate leads using email marketing and gated
content on their website. Data capture will be
handled by a marketing automation platform.
Marketing agency
The agency processes data on behalf of the bank
because they manipulate the data before it is
added to the marketing automation software.Marketing automation software
In this case, the software will also be a processor
because the data exists and is being used in their
system.Data centre
It doesn’t stop there. The software is SaaS and is
delivered via a data centre. The data centre is also
a data processor.
Marketing agency
The agency also uses a marketing automation
platform for their own marketing activity. In this
instance they are the controller!
Marketing automation platform and
Data centre apply for the same reason as above.


You can read or download our handy GDPR whitepaper here, which addresses this and many more questions marketers might have around GDPR. Becoming compliant requires time to get right, but it doesn’t have to be a minefield. In fact, it’s an opportunity to make sure your processes, security and relationships with third parties are watertight.



By Sean Ross Howlett