A controller refers to the entity that determines the “purpose and means” of how personal data will be processed. Determining the “purpose” of processing refers to deciding why information will be processed. Determining the “means” of processing refers to deciding how information will be processed.1 That does not necessarily mean, however, that a controller needs to make every decision about how processing will occur. The European Data Protection Board (EDPB) distinguishes between “essential means” and “non-essential means” of processing.2 Essential means refers to those processing decisions that are closely linked to the purpose and the scope of processing and, therefore, are considered by the EDPB to be “traditionally and inherently reserved to the controller.”3 Non-essential means refers to processing decisions that are more practical, day-to-day, implementation decisions and can be left to the discretion of a processor. These include such things as the type of computers or software that an organization decides to use.

The EDPB has suggested that market research companies would be considered processors in the following situation:4