Controller and Processor

Controller and processor are the two principal roles defined by GDPR. The controller decides the means and purposes of data processing; the processor processes personal data on the controller's documented instructions. For a typical European VDR engagement: the seller is the controller, the VDR provider is the processor, and bidders typically become controllers themselves once they receive the personal data.

See GDPR for VDRs.

Last updated: May 2026.