What is a data controller?
A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.
What does a controller do?
Controllers determine the purposes and means of processing, in particular, what data to process, why and how. They are the main decision-makers and exercise overall control as to how the personal data is processed.
What does it mean if you are a controller?
It is important to recognise that controllers have the highest level of compliance responsibility and have overall accountability for how personal data is handled. Controllers must:
Comply with, and demonstrate compliance with the data protection principles, which are, broadly, to ensure that personal data is:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Ensure that individuals can exercise their rights regarding personal data.
Implement appropriate technical and organisational security measures to ensure security of personal data.
Only use a processor that provides sufficient guarantees that they will implement appropriate technical and organisational measures to ensure their processing meets GDPR requirements.
Conduct an assessment of the processor’s guarantees by taking into account the processor’s expert knowledge, reliability and resources and where relevant the processor’s reputation.
Enter into a binding contract or other legal act with processors, which must include the following regarding the processing of personal data as a minimum:
- The subject matter and duration of the processing;
- The nature and purpose of the processing;
- The type of personal data and categories of data subject; and
- The controller’s obligations and rights.
In addition, the following specific terms or clauses must be included in the contract:
- Processing only on the documented instructions of the controller;
- Duty of confidence;
- Appropriate security measures;
- Using sub-processors;
- Data subjects’ rights;
- Assisting the controller;
- End-of-contract provisions;
- Audits and inspections.
Notify processors of any relevant information which may help the processor meet its duties in providing assistance to the controller in ensuring its compliance with Articles 32-36 of the UK GDPR, which considers security of processing, notification of a personal data breach to the Commissioner, communication of a personal data breach to a data subject, data protection impact assessments and prior consultation.
Assess data breaches, and notify personal data breaches to the ICO, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Controllers must also notify affected individuals, if the breach is likely to result in a high risk to their rights and freedoms.
Comply with the UK GDPR accountability obligations, such as maintaining records, carrying out data protection impact assessments (DPIAs) and appointing a data protection officer.
Pay the ICO a data protection fee unless exempt.
Understand their liability: controllers are liable for their own compliance under the UK GDPR and therefore any applicable sanctions, claims and damages.
Can there be more than one controller?
Yes, the UK GDPR defines this as being a ‘joint controllership’, where two or more controllers jointly determine the purposes and means of processing. Joint controllers have shared purposes and can take different forms and combinations. It is important that there is a transparent agreement in place, which sets out each controller’s obligations, roles and responsibilities for UK GDPR compliance.
They are not joint controllers if they are processing the same data for different purposes.
What is a processor?
A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors are separate legal entities to the controller which act on behalf of, and only on instructions of, the relevant controller and do not have any purpose of their own in processing the data.
For example, the controller’s employees are not processors.
Similarly to controllers, processors will be subject to obligations under the UK GDPR, but contrastingly, processors will be required to report certain matters to the controller. For example, if a data breach was committed, a processor would need to report this to the controller who would then assess whether this would be required to be reported to the ICO or not.
Can I sub-contract to another processor?
Yes, you can do this, but processors must firstly obtain the controller’s written authorisation to use a sub-processor. The processor will be liable for the sub-processors’ compliance so it is important to ensure that there is an agreement in place for this relationship so each party is clear of its obligations, and the processor can comply with its obligations with the controller.
If there are any subsequent changes of sub-processor, this must be authorised by the controller.
Can I be both a controller and a processor?
Processors may be controllers for some personal data, and processors for other personal data. For example, a processor will be a controller regarding its own employees’ personal data.
However, you cannot be a controller and a processor for the same processing activity.
Finally, how does the controller-processor relationship work in practice?
The key is to determine each party’s degree of independence in determining how and in what manner the data is processed as well as the degree of control over it.
At one extreme, one party (the client) will determine what personal data is to be processed and provide detailed processing instructions that the other party (the service provider) must follow. The service provider is tightly constrained in what it can do with the data and has no say at all over how it is processed. In this relationship the client is clearly the controller, and the service provider is the processor.
However, it is far more common for a data controller to allow its processor discretion over how the processing takes place using its own expertise.
If you require further assistance on this topic, please contact a member of our data protection team.