Make an enquiry
  • 15 May 2023
  • 3 min read

Is my organisation a controller or a processor under data protection law and why is it important to know?

Cyber security and protection of private information and data concept. Locks on blue integrated circuit. Firewall from hacker attack.

The UK General Data Protection Regulation (UK GDPR) defines a controller as: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.

Controllers therefore ‘control’ the personal data and make the key decisions about that data and its processing, for example, what data to collect and from whom, the purposes for which it will use the data and how long to retain it. Controllers are likely to receive a commercial benefit from the processing, make decisions about individuals as a result of processing their data or exercise professional judgement when processing personal data.

The UK GDPR defines a processor as: “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. 

Processors must only act on the instructions of the controller in relation to the personal data they process. Processors are likely to have been given the personal data by the controller and are generally not interested in the outcome of the processing because they are doing it on behalf of the controller e.g. to provide a service to the controller.

The UK data protection authority, the Information Commissioner’s Office (ICO), has a useful checklist of indicators pointing towards whether an organisation is a controller or processor. This can be found here.

However, it is not as simple as an organisation being a controller OR a processor. An organisation needs to identify the different categories of personal data it is holding, what it is doing with that data and why and then it needs to decide in relation to each of those categories whether it is a controller or processor in respect of the personal data. This means that an organisation can be a controller in relation to some personal data whilst at the same time being a processor for other personal data.

It is important to consider and document whether the organisation is a controller or a processor in relation to each category of personal data because data protection law imposes different obligations (and liabilities) on a controller, when compared to a processor, in respect of the relevant personal data. Therefore, the organisation needs to know whether it is a controller or a processor so that it ensures it complies with the correct obligations and therefore with relevant data protection law.

Every organisation will be a controller of personal data to some extent. For example:

  1. An organisation is a controller in respect of personal data it holds relating to its owners / shareholders / partners / members / trustees / directors / employees / volunteers.
  2. If an organisation sells goods or services to consumers and receives personal data from the consumers in order to make those sales (e.g. name and address for delivery of goods) then it will be a controller in relation to the personal data received.

There may also be circumstances in which an organisation processes personal data on behalf of another organisation in which case it may be a processor as well as a controller. For example:

  1. A payroll company receives personal data from a customer, Customer ABC Limited, so that it can process salary payments for Customer ABC Limited’s employees. The payroll company is a processor of that personal data as it is only acting on the instructions of its customer.
  2. A builders merchant uses a cloud hosting service, Hosting ABC Limited, to store the data it records on its computer systems which includes employee and customer personal data. Hosting ABC Limited’s role is limited to just holding the builders merchant’s personal data on its servers and therefore it is a processor for that personal data.

Our data protection team have many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421.

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please contact us.

Answers are just a click away

Make an enquiry
Further Reading

Insights

View all
Data protection Cyber Security Privacy Business Internet Technology Concept
  • Article
Data protection - What data protection rights does an individual have?

15 Apr 2024

3 min read

Shield. Abstract wireframe vector illustration on dark blue. Protect and Security concept. Digital Shield on abstract technology background. 3d rendering
  • Article
Data Protection - What data protection considerations do I need to be aware of for my organisation’s website?

19 Feb 2024

2 min read

Padlock Security cyber digital concept Abstract technology background protect system innovation vector illustration
  • Article
Data Protection - My organisation has a customer privacy notice, but should we have other notices as well? 

26 Jan 2024

2 min read

Cybersecurity and data protection concept. AI generated
  • Article
Data Protection - Our organisation has a privacy notice which was produced when the GDPR came into force in 2018. Do we need to update it?

04 Jan 2024

2 min read

dp qr
  • Article
Data Protection Quarterly News Roundup (October to December 2023)

27 Dec 2023

2 min read

Digital padlock for computing system on dark blue background, cyber security technology for fraud prevention and privacy data network protection concept
  • Article
Data Protection - What is a privacy notice, why does my organisation need one and what information do we need to include?

14 Dec 2023

2 min read