Outsourcing of certain business processes is standard for most companies these days, even for small and mid-size companies. Through outsourcing, business processes within a group of companies can be handled efficiently or access to an advanced IT infrastructure can be made possible. Outsourcing usually involves transferring personal data, such as employee data, customer data or supplier data. The outsourcing provider is a processor, the outsourcing customer is a controller. So far so good. But what if the provider uses the data for its own purposes too? And what if the customer is told what to do by the processor when processing the data? This article explains on which basis the individual roles of controller and processor can be determined taking into account the EU General Data Protection Regulation (GDPR).