The controller is the party that – alone or jointly with others – determines the purposes and means of the processing of personal data. Where (part of) the processing is outsourced, for instance to a cloud service provider, the controller can be considered the client and the other party the contractor. In GDPR terms, the contractor is called the “processor”. The terms of service between controller and processor are laid down in a data processing agreement. If one controller supplies personal data to another controller, these parties should enter into a data transfer agreement.