Controller and Processor
Controller and processor are the two principal roles defined by GDPR. The controller decides the means and purposes of data processing; the processor processes personal data on the controller's documented instructions. For a typical European VDR engagement: the seller is the controller, the VDR provider is the processor, and bidders typically become controllers themselves once they receive the personal data.
See GDPR for VDRs.
Published: May 2026. Updated: 18 June 2026.