Deep-dive · Foundations 1.3

Who plays which role

Controller, processor, sub-processor: the role each party plays decides who signs the contracts, who notifies on a breach, and who answers data-subject requests. Get it wrong and the wrong party carries the obligation. Scroll to follow the chain.

The ruleYour role decides who signs DPAs, who notifies on breach, and who answers DSARs. Map every external system to a role, and yes, your cloud provider is a sub-processor.
Controller You / your product decides why & how
DPA
Processor SaaS vendor acts only on instructions
DPA
Sub-processor Their cloud (AWS…) downstream vendor
Signs DPAs Notifies on breach Answers DSARs
Joint controller Embedded analytics / pixel you and the third party decide the purpose together (Fashion ID)
Step 1 · why it matters

Role decides obligation

Before any architecture, settle who is who. The role each party plays is what decides who signs the data processing agreements, who must notify on a breach, and who answers a data-subject access request.

Step 2 · controller

Controller decides why and how

The controller sets the purpose and the means. For your own product, that is usually you. Engineers often assume they are a processor when the architecture actually makes them a controller.

Step 3 · processor

Processor acts only on instructions

A processor handles personal data on the controller's behalf and nothing more: no enriching, profiling, or deriving features from customer data unless the contract allows it. Your SaaS vendors sit here.

Step 4 · sub-processor

The chain continues downstream

A sub-processor is anyone the processor brings in to help. Your cloud provider is one. So is the processor's own SaaS stack. The chain has to be visible all the way down.

Step 5 · every arrow is a contract

Map each link, keep a registry

Every arrow needs a DPA. Map each external system to a role, keep a per-product sub-processor registry (AWS, Datadog, Sentry, Stripe, OpenAI), and run a change-notification process: many DPAs require 30 days' notice before adding one.

Step 6 · the common trap

The cloud is not "just infrastructure"

AWS, GCP and Azure are sub-processors the moment they store or process customer personal data. Treating them as plumbing is how they fall off the registry and out of the RoPA.

Step 7 · the role you did not mean to take

Embedded third parties make you a joint controller

Drop Google Analytics or a Meta Pixel onto pages handling customer data and you may become a joint controller, sharing the purpose with the third party (CJEU Fashion ID). That brings shared liability you did not plan for.