Controller or processor
When processing personal data, an individual or an organisation will act as either a data controller or a data processor.
Determining your relationship to the data you process is essential to maintaining compliance as both controllers and processors have responsibilities in relation to personal data.
Data Controller
Data protection legislation defines a data controller as "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data".
In simple terms, the data controller decides what personal data to collect and why. The data controller also has ultimate responsibility over the personal data.
The ICO provides a checklist for determining whether an individual or the organisation they work for is data controller.
If any of the following apply, you/your organisation are likely the controller:
☐ You decided to collect or process the personal data.
☐ You decided what the purpose or outcome of the processing was to be.
☐ You decided what personal data should be collected.
☐ You decided which individuals to collect personal data about.
☐ You obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller.
☐ You are processing the personal data as a result of a contract between us and the data subject.
☐ The data subjects are your employees.
☐ You make decisions about the individuals concerned as part of or as a result of the processing.
☐ You exercise professional judgment in the processing of the personal data.
☐ You have a direct relationship with the data subjects.
☐ You have complete autonomy as to how the personal data is processed.
☐ You have appointed the processors to process the personal data on our behalf.
You might share controller duties with another individual or organisation (joint data controllers) if:
☐ You have a common objective with others regarding the processing.
☐ You are processing the personal data for the same purpose as another controller.
☐ You are using the same set of personal data (eg one database) for this processing as another controller.
☐ You have designed this process with another controller.
☐ You have common information management rules with another controller.
Data Processor
Data Protection legislation defines a data processor as "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller".
A data processor is usually a third party (separate from the data controller) that collects, uses, or manages data based solely on instructions from the data controller.
A data processor can be held liable for mismanagement of personal data, so it is important that they understand and appropriately follow their obligations as laid out by both Data Protection legislation and the data controller. These responsibilities are usually set out in a contract between all parties, such as a Data Processing Agreement.
Some examples of third party data processors include:
- transcription or translation services
- online survey platforms
- cloud hosting services
The ICO provides a checklist for determining whether an individual or the organisation they work for are a data processor.
If any of the following apply, you are likely the processor:
☐ You are following instructions from someone else regarding the processing of personal data.
☐ You were given the personal data by a customer or similar third party, or told what data to collect.
☐ You do not decide to collect personal data from individuals.
☐ You do not decide what personal data should be collected from individuals.
☐ You do not decide the lawful basis for the use of that data.
☐ You do not decide what purpose or purposes the data will be used for.
☐ You do not decide whether to disclose the data, or to whom.
☐ You do not decide how long to retain the data.
☐ You may make some decisions on how data is processed, but implement these decisions under a contract with someone else.
☐ You are not interested in the end result of the processing.