Further Reading: What are controllers and processors?

  • Data Controllers and Data Processors may be natural or legal persons, a public authority, agency or other body.
  • A Data Controller, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Section 6 of the Data Protection Act 2019 widens the definition of a Controller to include the processing of personal data for the purpose of compliance with an obligation arising in an enactment
  • Where two or more controllers jointly determine the purposes and means of processing, they are known as Joint Controllers.
  • Joint Controllers must come to an arrangement setting out their respective responsibilities, be transparent over the roles each is responsible for and set how an individual may exercise their rights
  • A Data Processor processes personal data on behalf of the controller in accordance with a written contract, the minimum terms of which are set out in Article 28
  • Data Controllers and Data Processors outside the EU/EEA offering goods or services, or monitoring those within the EU must appoint a representative through which individuals and the ICO may gain meaningful contact with the Controller

References:

Article 29 Working Party Opinion 1/2010 on the concepts of ‘controller’ and ‘processor’ (WP 169)

Section 6 of the DPA 2018 http://www.legislation.gov.uk/ukpga/2018/12/section/6/enacted

Government document on procurement with standard clauses https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/fil e/708836/18.docx.pdf

Cases:

Facebook and Joint Controllers

http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d0f130da9586a3c28d9a44d98a73e6e8b2173732.e34KaxiLc3eQc40LaxqMbN4Pb3iPe0?text=&docid=202543&pageIndex=0&docla ng=EN&mode=req&dir=&occ=first&part=1&cid=318350

Jehovah witnesses and Controllers

http://curia.europa.eu/juris/document/document.jsf?text=&docid=203822&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=643417

ICO guidance with link to specific guidance on detailed guidance and liabilities between controllers and processors

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/key-definitions/controllers-and-processors/