Getting Started

Who is a Data Controller?

Controller or processor? Find out which role your business plays, because it decides which duties fall on you.

Beginner 10 min
This module is general information, not legal advice, and is being reviewed by our legal team. For your specific situation, consult the official Data Protection Act, 2020 or seek professional advice.

What you will learn

  • What a data controller is
  • What a data processor is
  • The difference between the two roles
  • How to work out which one your business is

Overview

The Act places different duties on different roles. Before you can work out what you must do, you need to know whether your business is a data controller, a data processor, or both.

Why this matters

Almost all of the headline responsibilities under the Act sit with the controller: deciding the lawful basis, providing privacy notices, answering people's requests, and keeping data secure. Processors have narrower duties. So identifying your role tells you which obligations apply.

What the law says

The Act (see the definitions in ) describes these roles:

  • A data controller is the person or organisation that decides why and how personal data is processed.
  • A data processor processes personal data on behalf of a controller, following the controller's instructions, and does not decide the purposes itself.
Tip. A simple test: if you decide what data to collect and why, you are the controller. If you only handle data because someone else told you to and set the rules, you are a processor for that activity.

Controllers, processors, and joint controllers

  • Controller. A clinic deciding what patient records to keep is the controller for those records.
  • Processor. A payroll company that runs payroll using staff data your company supplies is a processor.
  • Joint controllers. Sometimes two organisations decide the purposes together. They share controller responsibilities.

Real-world examples

  • A retailer is the controller for its customer list. Its email-marketing tool is a processor.
  • A school is the controller for student records. Its cloud storage provider is a processor.
  • A construction firm is the controller for employee files. Its outsourced HR service may be a processor.

Common mistakes

  • Assuming that because a vendor holds the data, the vendor is responsible. As controller, you remain responsible.
  • Using processors without a written contract setting out their duties.
  • Forgetting that you can be a processor too, for example when you handle a partner's customer data.

Best practices

  • For each system or supplier, write down whether you are the controller or processor.
  • Keep a register of your processors, with what they do and where they are based.
  • Make sure every processor relationship is backed by a written contract.

Put this into practice

Keep a register of the processors that handle data on your behalf. It is good practice and an accountability tool.

Map your processors

Frequently asked questions

Usually a processor, because it stores or processes data on your instructions. You remain the controller.

Key takeaways

  • A data controller decides why and how personal data is processed.
  • A data processor only acts on a controller's instructions.
  • Most businesses are controllers for their own customer and staff data.
  • Your role determines your duties, so it is worth identifying clearly.

Related

Ask the Privacy Assistant

Beta