The data controller is the natural or legal person or public authority, who decides on the processing of personal data, determining the purposes and means of such processing. By virtue of the principle of proactive responsibility, the controller must apply technical and organizational measures to comply with and be able to demonstrate compliance, in view of the risk involved in the processing of personal data.
On the other hand, the data processor is the natural or legal person, public authority, service or other body that follows the directions of the data controller when, for example, providing a service to the data controller on its behalf.
In this sense, the data controller is the one who decides the “why” and the “how” related to personal data and the data processor is the person in charge of carrying out the treatment by the person in charge.