Back to Basics: Controllers and Processors Under Data Protection Laws

To continue our Back to Basics series, here we address fundamental but often misunderstood concepts within the UK GDPR – data controllers and data processors.

Definitions under data protection laws

Controllers decide what to do with the personal data and have an overarching responsibility to comply with data protection laws. For example, an employer will be a data controller of its employees’ personal data as the employer decides on the purposes of the processing, and how the data is processed.

Processors, on the other hand, only use personal data for a purpose decided by a controller and have limited legal obligations. Often (but not always) a Software as Service (SaaS)vendor will process personal data on behalf of controllers in providing a basic SaaS solution which hosts personal data (for example, a payroll solution).

• ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Why designations are important

Determining which party / parties are a controller or a processor is important for designating responsibilities under an agreement, which in turn allows the parties to include the parameters of a party’s use of any personal data under a contract.

There is also a legal requirement to include certain provisions where a party is processing personal data on behalf of a data controller (either a standalone data processing agreement or data protection clauses within a principal agreement). The agreement must set out how data will be protected, how data breaches are handled and reported and how individuals can invoke their rights under data protection laws.

The Information Commissioner can impose enforcement notices and/or monetary penalties on those who fail to have appropriate agreements in place.

Summary

Working out which party is a controller and which party is a processor can be tricky, especially when there are multiple designations in one agreement or relationship. However, it’s important that businesses satisfy themselves they have complied with their regulatory obligations in working out the scope of authority of those they share data with, and have appropriate legal agreements in place to govern any data processing or sharing.

Our Experts can help with drafting and negotiating data processing and data sharing agreements, and advising on controller/processor designations.