What are GDPR data ‘controllers’ and ‘processors’?

What does the UK GDPR say about processors & controllers?

The UK GDPR pulls a distinction between a’ controller’ and a’ processor’ to understand that only some organisations active in the processing of individual details have exactly the same level of job. The UK GDPR defines these terms:
‘controller’ indicates the legal or natural individual, public authority, company or maybe some other body which, jointly or alone with others, establishes the purposes and also ways of the processing of private information.
‘processor’ means a legal or natural individual, public authority, company or maybe some other body which processes private details on behalf of the controller.

If perhaps you’re a controller, you’re accountable for complying with the UK GDPR – you should be ready to show conformity with the information protection principles, and get proper specialized and also organisational actions to make sure your processing is carried through consistent with the UK GDPR.

If you’re a processor, you’ve more restricted compliance responsibilities.
What’s a controller?

The UK GDPR defines a controller as:

the legal or natural individual, other body, agency, or public authority which, jointly or alone with others, establishes the purposes and also ways of the processing of private data.

Controllers can make choices about processing activities. They exercise general command of the private information being prepared and are ultimately in control of as well as to blame for the processing.

Some controllers might be under a statutory obligation to process private data. Section 6(2) of the information Protection Act 2018 states that anybody who’s under such an obligation and just processes information to comply with it is going to be a controller.

A GDPR Data Controller could be a business or maybe any other legitimate entity (such as an incorporated partnership, incorporated public authority) or association, or perhaps a private (such as a single trader, partner in an unincorporated partnership, or perhaps self employed professional, eg a barrister).

Nevertheless, a person processing personal details for the purposes of a strictly personal or maybe home task isn’t governed by the UK GDPR.

Example

A GP surgery has an automatic process in its waiting living room to notify patients when to go on to a GP consulting room. The device includes an electronic display which displays the waiting patient’s name and also the appropriate consulting room number, and likewise a speaker for visually impaired people that announces similar info.

The GP surgical procedure is going to be the controller just for the private information prepared in connection with the waiting room notification process since it’s identifying the uses and also ways of the processing.

Example

A firm employs an accountant to perform its books. When acting for the customer of his, the accountant is usually a controller in relation to the private information in the profiles. This’s because accountants and related providers of professional services perform under a selection of professional obligations which oblige them to be responsible for the private information they process. For instance, when the accountant detects malpractice while performing the firm’s accounts he may well, based on the nature of its, be needed under his monitoring obligations to report the malpractice to different authorities or the authorities. In doing so, an accountant wouldn’t be acting on the client’s instructions but consistent with his professional responsibilities and thus as a controller in the own right of his.

If specialized service providers are processing information consistent with their very own professional obligations, they’ll forever be acting as the controller. In this particular context, they can’t decide to hand over or maybe share controller responsibilities with the client.

Some organisations do not have a distinct legal character of their own – for instance, unincorporated associations like voluntary groups or sports clubs. In this instance you need to evaluate the file and that sets up and also governs the management of that organisation. This document must fixed out which individual(s) manage the organisation on behalf of its participants and therefore are prone to serve as joint controllers or the controller, and just how contracts might be entered into on behalf of the organisation.

For convenience you might recognize the organisation like a full as the controller (eg you might utilize the club or maybe class brand inside your security info for individuals). But for legitimate reasons the controller will basically function as the useful users that can make the choices around the processing by the organisation.
What’s a joint controller?

Controllers are able to identify the purposes and also ways of processing alone, and collectively with others – like a joint controller. Article 26(1) on the UK GDPR states that:

Wherever 2 plus controllers collectively figure out the uses and also ways of processing, they shall be joint controllers.

Joint controllers decide the uses and also ways of processing together – they’ve the shared or same purposes. Controllers won’t be joint controllers in case they’re processing the same information for various requirements.
What’s a processor?

The UK GDPR defines a processor as:
‘processor’ means a legal or natural individual, public authority, company or maybe some other body which processes private details on behalf of the controller.

Processors act on behalf of the appropriate controller and under the authority of theirs. In doing so, they provide the controller’s passions rather compared to their very own.

Although a processor might make its very own daily operational decisions, Article twenty nine states it must just process private details consistent with a controller’s instructions, unless it’s necessary to do usually by law.

If a processor functions without the controller’s directions in such a manner it establishes the objective and also ways of processing, like to comply with a statutory obligation, it is going to be a controller in regard of that processing and can have exactly the same responsibility as being a controller.

A processor could be a business or maybe any other legitimate entity (such as an incorporated partnership, incorporated public authority) or association, or perhaps a person, for instance a consultant.