The checkbox that changes who's liable
When you drop Google Analytics on your site, is Google processing visitor data on your instructions, or using it for its own purposes? That's not a philosophical question. The answer decides which contract you need, who a data subject can sue, and whether the whole arrangement is lawful. And the uncomfortable part is that it varies by vendor, and sometimes flips on a single configuration setting.
GDPR sorts every party into a role. A controller decides the purposes and means of processing, the why and the how. A processor acts only on the controller's documented instructions. Article 4 defines both, and the EDPB Guidelines 07/2020 add the rule that decides close cases: it's function over form. What a party actually does determines its role, not what the contract calls it.
You're the controller. The question is what your vendor is
For analytics, you (the website operator) are almost always a controller. You chose to measure your traffic and you decided why. The open question is the vendor's status, and there are two models.
The processor model. The vendor processes visitor data only to deliver your analytics, on your instructions, and doesn't use it for its own ends. That relationship needs an Article 28 data processing agreement. Self-hosted Matomo is the cleanest example: the data stays with you. Google Analytics, under Google's data processing terms, positions Google as a processor for the core analytics data. When European regulators examined Google Analytics in 2022, they treated the website as controller and Google as processor for that data.
The controller or joint-controller model. The vendor uses the data for its own purposes, improving its products, building cross-site advertising profiles, and it becomes a controller in its own right, or a joint controller with you. Advertising pixels frequently sit here. Meta Pixel, Google Ads tags, and similar tools feed the vendor's own ad graph, which is a purpose you don't control.
Fashion ID and the tag you embedded
The case that put joint controllership on the map for website operators is Fashion ID (CJEU C-40/17, decided 29 July 2019). A retailer embedded Facebook's "Like" button. The button sent every visitor's IP address and browser data to Facebook whether or not they clicked it. The Court held the retailer was a joint controller with Facebook for the collection and transmission of that data, because it helped cause the transmission by embedding the tag, even though it had no say in what Facebook did afterward.
The threshold the Court set is deliberately low. Joint controllership doesn't require equal responsibility, and it doesn't even require that you can access the data yourself. So when you place a third-party pixel that phones data home to a vendor, you can't assume you're a neutral installer. For the collection-and-transmission stage, you may share the controller role with the vendor. The agency-side version of this liability question is covered in agency controller vs processor liability.
Read what the vendor does with the data, not what the box is labeled
A signed DPA doesn't make a vendor a processor if it's mining your visitors' data for its own advertising graph. The EDPB is explicit that the role follows the reality of the processing, so a "processor" that reuses the data for its own purposes is, for those purposes, a controller regardless of the paperwork. Before you accept a vendor's self-description, check what it actually does with the data it collects through your site. The contract is evidence of the relationship, not a substitute for it.
The configuration twist: same vendor, different role
Here's what makes analytics vendors tricky. The same tool can be a processor or a controller depending on how you set it up. Google Analytics is the standard example. Left as base analytics under the data processing terms, Google is positioned as a processor. Turn on Google Signals, cross-device features, or ads-personalization data sharing, and Google starts using the data for its own advertising purposes, which pushes the relationship toward controller or joint controller. A single toggle changes your legal relationship and the contract you should have.
This is why "is Google Analytics compliant" has no one-line answer, it depends on your configuration and your transfer situation. We go deeper in is Google Analytics GDPR compliant and on the specific data-sharing changes in the Google Signals changes and consent.
Why the classification changes what you have to do
Getting the role right isn't an academic exercise. Three concrete things hang off it.
- The contract. A processor relationship needs an Article 28 DPA. A joint-controller relationship needs an Article 26 arrangement that spells out who handles transparency and data-subject rights.
- Liability. With a controller or joint-controller vendor, you're both answerable, and a data subject can exercise their rights against either of you. You can't contract that exposure away.
- International transfers. If the vendor is a controller based in the US, Chapter V transfer rules apply with more force. The 2022 Google Analytics decisions from the Austrian and French authorities were fundamentally about unlawful US transfers, not about the analytics itself. See EU-US data transfers and the Data Privacy Framework.
Working out your vendor's role
Does the vendor use the data only to serve you?
Processor. You need an Article 28 DPA.
Does the vendor reuse the data for its own purposes?
Controller or joint controller for those purposes, whatever the contract says.
Did you embed a tag that transmits data to the vendor?
Fashion ID territory: assume joint controllership for the collection stage.
Have you checked your analytics configuration?
Signals and ad-personalization settings can flip a processor into a controller.
Is the vendor outside the EEA?
Check the transfer mechanism; the 2022 GA rulings turned on unlawful US transfers.
How CookieBeam supports the classification
You can't classify a vendor you haven't spotted. CookieBeam's scanner detects which third-party scripts load on your site and which external destinations they connect to, so you get an actual list of the vendors receiving data rather than a guess. That inventory is the starting point for deciding each vendor's role.
On the enforcement side, consent gating keeps these tags from firing before the visitor consents, which directly addresses the collection-and-transmission stage the Court cared about in Fashion ID. And per-purpose consent logs give you the per-vendor evidence you'll want if a data subject exercises rights against you as a joint controller. For the contract layer, pair this with data processing agreements for website owners, and for the basis question underneath it all, see legitimate interest vs consent for cookies.