Skip to Content
CKonnect
  • Home
  • CourseKonnect
    • e-learning
    • Udemy
    • learning (Old LMS)
  • Career
    • Life @CKonnect
    • All Jobs
  • Knowledge Base
    • PrivacyReads
    • Community
    • Newsletters
    • Priv ToolKit
  • Stay Tuned
    • ComplyKonnect
    • E-PrivJournals
    • Priv-Books
  • Connects
    • 1:1
  • Contact Us
CKonnect
    • Home
    • CourseKonnect
      • e-learning
      • Udemy
      • learning (Old LMS)
    • Career
      • Life @CKonnect
      • All Jobs
    • Knowledge Base
      • PrivacyReads
      • Community
      • Newsletters
      • Priv ToolKit
    • Stay Tuned
      • ComplyKonnect
      • E-PrivJournals
      • Priv-Books
    • Connects
      • 1:1
  • Contact Us

Controller and Processor Framework Under DPDPA and GDPR: Virtual Card Access Scenarios

  • All Blogs
  • Privacy Team Pulse
  • Controller and Processor Framework Under DPDPA and GDPR: Virtual Card Access Scenarios
  • 17 July 2026 by
    Controller and Processor Framework Under DPDPA and GDPR: Virtual Card Access Scenarios
    CKonnect

    When a group works with other companies for virtual cards, one of the main things they have to ask is, "Are we dealing with a processor or a controller?" The answer is important for following rules in both India's DPDPA and the European Union's GDPR. It is not always easy to find the answer, especially when the companies you work with start making their own choices that make the lines between them less clear.

    Understanding the Controller-Processor Difference

    GDPR Framework

    A data controller is the one who makes the decisions about data. Under a GDPR rule, Article 4(7), the controller decides why and how personal data is used. They are in charge of what happens with the data.

    On the other hand, a data processor is more like a worker. They handle personal data for the controller, doing what they are told and not making their own choices. The European Data Protection Board says that controllers must decide the main parts of how data is used, but they can give some smaller jobs to processors.

    DPDPA Framework

    DPDPA works in a similar way but uses different words that people in India's legal world know better. A data fiduciary is mostly the same as a controller in GDPR. They decide why and how personal data is used. A data processor works with data for the data fiduciary.

    Here is the main difference, unlike GDPR, DPDPA does not put rules directly on processors. As an alternative, the data fiduciary must make sure the processor follows the rules. This means it is even more important to pick the right company and have strong contracts.

    Virtual Card Access

    The Virtual Card Landscape

    Virtual cards have changed business payments by giving a way to pay for specific things using a digital card. Companies often work with special vendors to handle virtual card use for things like employee costs, paying suppliers, or handling bills. But this is where the question about who is the controller and who is the processor becomes difficult.

    When Your Vendor is Acting as a Processor

    Your vendor is likely operating as a processor when they're essentially following your playbook. This means:

    Limited Instruction-Based Processing: The vendor uses data about your employees and payments based on your exact needs. You decide who gets a virtual card, how much they can spend, who has to approve it, and what they can use the card for. The vendor only puts your choices into action.

    No Independent Decision-Making: The vendor cannot change why they are using the data or make big changes. They can't decide on their own how long to keep data, who to share it with, or what security to use other than what is in your written agreement.

    Contractual Subordination: You have a full agreement with the vendor that says your company is the controller and has the final say over all data work. The vendor's job is just to do the work.

    When Your Vendor Should Be Treated as a Controller

    However, vendors can become controllers when they start making their own choices:

    • Making their own choices for processing: If your vendor decides on its own what security to use, how long to keep data, or shares information with other networks to stop fraud without you telling them to, they are acting like a controller.
    • Using data for their own goals: When vendors use your payment data for their own business, like making their computer programs better, looking at market trends, or making new products, they become controllers for that work.
    • Working on their own: Vendors who make big decisions about how their systems work, what security to use, or how things are done that affect personal data are acting like controllers. This is most important when vendors use their own systems for finding fraud or for looking at data.

    When Boundaries Blur: Joint Controller Scenarios

    GDPR's Joint Controllership

    Sometimes, both companies and vendors make decisions together about how data is used. Under a GDPR rule (Article 26), this makes them joint controllers. This happens when their choices work together and are both needed for the data work to happen.

    In cases with virtual cards, you might have joint controllership when both groups together decide how long to keep data, work together to set up ways to stop fraud, or create rules for watching over payments. The main point is that the choices of both groups are needed for the whole process.

    DPDPA's Approach

    DPDPA does not talk about joint controllership in the same clear way as GDPR. However, the new Data Protection Board will likely see groups that make decisions together about data as joint data fiduciaries. This could be the case when a company and a vendor decide on access rules or shared security together.

    For Vendors Who Are Actually Controllers

    If you are a vendor who sees that you are making your own choices about data, you must take on the full job of a controller. This means you need to put in place full privacy rules, make ways for people to ask for their rights with their data, look at how your work affects privacy, and make sure you have good legal reasons for everything you do with data.

    You will also need to tell your clients clearly that you are a controller. You must have proper agreements for sharing data, not the old ones for processors. Your system for following the rules must be good enough for your bigger legal duties.

    The Bottom Line

    Using virtual cards shows well how new technology can make old data protection jobs complex. No matter if you are a company or a vendor, you need to look past what your contracts say and honestly see who is really making the decisions about using data.

    The main rule is this: if you decide why and how the most important data work is done, you are a controller (or data fiduciary), no matter what your contracts say. As regulators get better at checking, getting this classification right from the start will save you a lot of trouble later on.

    The key is to be honest about your real job in the world of data and make sure the rules you follow match what you actually do. In the fast-changing world of virtual cards and digital payments, what you do will always matter more than what you say when it comes to following the rules.

    By Naukhaiz Aftab

    in Privacy Team Pulse
    Share this post
    Our blogs
    • Where Privacy Meets Tech
    • Templates That Work: Built for Real Privacy Teams
    • The Privacy Perspective: Insights from the Real World
    • CKonnect Stories
    • e-learning from CourseKonnect
    • Privacy Team Pulse
    • Our blog
    • Digital Personal Data Act, 2023
    Cloud Premises Hybrid
    Follow us

    Privacy Notice ​​Refund Policy

     Terms & Conditions

        ​    connect@ckonnect.co.in

    How can we help?

    konnect with us

    Website Logo

    Respecting your privacy is our priority.

    Allow the use of cookies from this website on this browser?

    We use cookies to provide improved experience on this website. You can learn more about our cookies and how we use them in our Cookie Policy.

    Allow all cookiesOnly allow essential cookies