GDPR: Who are data controllers and processors?

What is a data controller?

When making decisions or processing personal data, it is important to understand whether your role is a controller or processor as each have different duties and obligations when dealing with personal data.  We have set out below what each role entails. 

What does a controller do?

The Information Commissioner’s Office (ICO) defines a controller as a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”.  Ultimately, controllers determine the purposes and means of processing, in particular, what data to process, why and how. They are the main decision-makers and exercise overall control as to how the personal data is processed. 

What does it mean if you are a controller?

It is important to recognise that controllers have the highest level of compliance responsibility and have overall accountability for how personal data is handled. Controllers must:

• Comply with, and demonstrate compliance with the data protection principles, which are, broadly, to ensure that personal data is:
  • Processed lawfully, fairly and in a transparent manner in relation to individuals;
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes;
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • Accurate and, where necessary, kept up to date;
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
• Ensure that individuals can exercise their rights regarding personal data.
• Implement appropriate technical and organisational security measures to ensure security of personal data.
• Only use a processor that provides sufficient guarantees that they will implement appropriate technical and organisational measures to ensure their processing meets GDPR requirements.
• Conduct an assessment of the processor’s guarantees by taking into account the processor’s expert knowledge, reliability and resources and where relevant the processor’s reputation.
• Enter into a binding contract or other legal act with processors, which must include the following regarding the processing of personal data as a minimum:
  • The subject matter and duration of the processing;
  • The nature and purpose of the processing;
  • The type of personal data and categories of data subject; and
  • The controller’s obligations and rights.

In addition, the following specific terms or clauses must be included in the contract:

• • Processing only on the documented instructions of the controller;
  • Duty of confidence;
  • Appropriate security measures;
  • Using sub-processors;
  • Data subjects’ rights;
  • Assisting the controller;
  • End-of-contract provisions;
  • Audits and inspections.
• Notify processors of any relevant information which may help the processor meet its duties in providing assistance to the controller in ensuring its compliance with Articles 32-36 of the UK GDPR, which considers security of processing, notification of a personal data breach to the Commissioner, communication of a personal data breach to a data subject, data protection impact assessments and prior consultation.
• Assess data breaches, and notify personal data breaches to the ICO, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Controllers must also notify affected individuals, if the breach is likely to result in a high risk to their rights and freedoms.
• Comply with the UK GDPR accountability obligations, such as maintaining records, carrying out data protection impact assessments (DPIAs) and appointing a data protection officer.
• Pay the ICO a data protection fee unless exempt.
• Understand their liability: controllers are liable for their own compliance under the UK GDPR and therefore any applicable sanctions, claims and damages.

Can there be more than one controller?

Yes, the UK GDPR defines this as being a ‘joint controllership’, where two or more controllers jointly determine the purposes and means of processing. Joint controllers have shared purposes and can take different forms and combinations. It is important that there is a transparent agreement in place, which sets out each controller’s obligations, roles and responsibilities for UK GDPR compliance.

They are not joint controllers if they are processing the same data for different purposes.

A joint controller can be held liable for non-compliance in exactly the same way as from any sole controller. Each joint controller will be liable for the entire damage caused by the processing, unless it can prove it is not in any way responsible for the event giving rise to the damage. 

What is a processor?

The ICO defines a processor as being “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. Processors are separate legal entities to the controller which act on behalf of, and only on instructions of, the relevant controller, therefore, do not have any purpose of their own in processing the data. 

For example, the controller’s employees are not processors. 

Similarly to controllers, processors will be subject to obligations under the UK GDPR, but contrastingly, processors will be required to report certain matters to the controller. For example, if a data breach was committed, a processor would need to report this to the controller who would then assess whether this would be required to be reported to the ICO or not. It will also need to implement safeguards or security measures, record-keeping and ensuring compliance with the rules of any international data transfers. 

Can I sub-contract to another processor?

Yes, you can do this, but processors must firstly obtain the controller’s written authorisation to use a sub-processor. The processor will be liable for the sub-processors’ compliance so it is important to ensure that there is an agreement in place for this relationship so each party is clear of its obligations, and the processor can comply with its obligations with the controller.

If there are any subsequent changes of sub-processor, this must be authorised by the controller.

Can I be both a controller and a processor? 

Processors may be controllers for some personal data, and processors for other personal data. For example, a processor will be a controller regarding its own employees’ personal data. 

However, you cannot be a controller and a processor for the same processing activity. 

Finally, how does the controller-processor relationship work in practice?

The key is to determine each party’s degree of independence in determining how and in what manner the data is processed as well as the degree of control over it. At one extreme, one party (the client) will determine what personal data is to be processed and provide detailed processing instructions that the other party (the service provider) must follow. The service provider is tightly constrained in what it can do with the data and has no say at all over how it is processed. In this relationship the client is clearly the controller and the service provider is the processor. 

However, it is far more common for a data controller to allow its processor discretion over how the processing takes place using its own expertise. 

Key takeaways

• Controllers determine the purpose of the data processing, not the processors. 
• Processors act on the controller/s’ instructions, and although can make a certain decision about the way the processing will be done, has limited control over the data. 
• It is prudent to have an agreement set up between joint controllers, the controller and processor, and processor and sub-processor so each party understands its obligations and these are documented. 
• Controllers and processors have a different set of responsibilities, and have various responsibilities when dealing with data breaches.  

If you require further assistance on this topic, please do not hesitate to contact a member of our data protection team.