- 15 May 2023
- 3 min read
Is my organisation a controller or a processor under data protection law and why is it important to know?
The UK General Data Protection Regulation (UK GDPR) defines a controller as: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
Controllers therefore ‘control’ the personal data and make the key decisions about that data and its processing, for example, what data to collect and from whom, the purposes for which it will use the data and how long to retain it. Controllers are likely to receive a commercial benefit from the processing, make decisions about individuals as a result of processing their data or exercise professional judgement when processing personal data.
The UK GDPR defines a processor as: “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
Processors must only act on the instructions of the controller in relation to the personal data they process. Processors are likely to have been given the personal data by the controller and are generally not interested in the outcome of the processing because they are doing it on behalf of the controller e.g. to provide a service to the controller.
The UK data protection authority, the Information Commissioner’s Office (ICO), has a useful checklist of indicators pointing towards whether an organisation is a controller or processor. This can be found here.
However, it is not as simple as an organisation being a controller OR a processor. An organisation needs to identify the different categories of personal data it is holding, what it is doing with that data and why and then it needs to decide in relation to each of those categories whether it is a controller or processor in respect of the personal data. This means that an organisation can be a controller in relation to some personal data whilst at the same time being a processor for other personal data.
It is important to consider and document whether the organisation is a controller or a processor in relation to each category of personal data because data protection law imposes different obligations (and liabilities) on a controller, when compared to a processor, in respect of the relevant personal data. Therefore, the organisation needs to know whether it is a controller or a processor so that it ensures it complies with the correct obligations and therefore with relevant data protection law.
Every organisation will be a controller of personal data to some extent. For example:
- An organisation is a controller in respect of personal data it holds relating to its owners / shareholders / partners / members / trustees / directors / employees / volunteers.
- If an organisation sells goods or services to consumers and receives personal data from the consumers in order to make those sales (e.g. name and address for delivery of goods) then it will be a controller in relation to the personal data received.
There may also be circumstances in which an organisation processes personal data on behalf of another organisation in which case it may be a processor as well as a controller. For example:
- A payroll company receives personal data from a customer, Customer ABC Limited, so that it can process salary payments for Customer ABC Limited’s employees. The payroll company is a processor of that personal data as it is only acting on the instructions of its customer.
- A builders merchant uses a cloud hosting service, Hosting ABC Limited, to store the data it records on its computer systems which includes employee and customer personal data. Hosting ABC Limited’s role is limited to just holding the builders merchant’s personal data on its servers and therefore it is a processor for that personal data.
Our data protection team have many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421.
If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please contact us.