The General Data Protection Regulation (GDPR) has already been in force for several months. However, there is still uncertainty about the meaning of certain terms in the GDPR. For example, it is not clear to everyone what the difference is between a controller and a processor, while these are core concepts of the GDPR. According to the GDPR, the controller is the (legal) entity or organization that determines the purpose and means of the processing of personal data. The controller therefore determines why personal data is being processed. In addition, the controller in principle determines with which means the data processing takes place. In practice, the party that actually controls the processing of data is the controller. According to the GDPR, the processor is a separate (legal) person or organization that processes personal data on behalf of and under the responsibility of the controller. For a processor, it is important to determine whether the processing of personal data is performed for the benefit of itself or for the benefit of a controller. It can sometimes be a puzzle to determine who is the controller and who is the processor. In the end, it is best to answer the next question: who has ultimate control over the purpose and means of data processing?