- Data Controllers and Data Processors may be natural or legal persons, a public authority, agency or other body.
- A Data Controller, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Section 6 of the Data Protection Act 2019 widens the definition of a Controller to include the processing of personal data for the purpose of compliance with an obligation arising in an enactment
- Where two or more controllers jointly determine the purposes and means of processing, they are known as Joint Controllers.
- Joint Controllers must come to an arrangement setting out their respective responsibilities, be transparent over the roles each is responsible for and set how an individual may exercise their rights
- A Data Processor processes personal data on behalf of the controller in accordance with a written contract, the minimum terms of which are set out in Article 28
- Data Controllers and Data Processors outside the EU/EEA offering goods or services, or monitoring those within the EU must appoint a representative through which individuals and the ICO may gain meaningful contact with the Controller
Article 29 Working Party Opinion 1/2010 on the concepts of ‘controller’ and ‘processor’ (WP 169)
Section 6 of the DPA 2018 http://www.legislation.gov.uk/ukpga/2018/12/section/6/enacted
Government document on procurement with standard clauses https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/fil e/708836/18.docx.pdf
Facebook and Joint Controllers
Jehovah witnesses and Controllers
ICO guidance with link to specific guidance on detailed guidance and liabilities between controllers and processors