At a glance
- Understanding your role in relation to the personal information you are processing is crucial in ensuring compliance with the GDPR and the fair treatment of individuals.
- Your obligations under the GDPR will vary depending on whether you are a controller, joint controller or processor.
- The ICO has the power to take action against controllers and processors under the GDPR.
- Individuals can bring claims for compensation and damages against both controllers and processors.
- You should take the time to assess, and document, the status of each organisation you work with in respect of all the personal information and processing activities you carry out.
- Whether you are a controller or processor depends on a number of issues. The key question is – who determines the purposes for which the information is processed and the means of processing?
- Organisations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services.
The following checklists set out indicators as to whether you are a controller, a processor or a joint controller. The more boxes you tick, the more likely you are to fall within the relevant category.
Are we a controller?
☐ We decided to collect or process personal information.
☐ We decided what the purpose or outcome of the processing was to be.
☐ We decided what personal information should be collected.
☐ We decided which individuals to collect personal information about.
☐ We obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller.
☐ We are processing personal information as a result of a contract between us and the information subject.
☐ The information subjects are our employees.
☐ We make decisions about the individuals concerned as part of or as a result of the processing.
☐ We exercise professional judgement in the processing of personal information.
☐ We have a direct relationship with the information subjects.
☐ We have complete autonomy as to how personal information is processed.
☐ We have appointed the processors to process the personal information on our behalf.
Are we a joint controller?
☐ We have a common objective with others regarding the processing.
☐ We are processing personal information for the same purpose as another controller.
☐ We are using the same set of personal information (eg one database) for this processing as another controller.
☐ We have designed this process with another controller.
☐ We have common information management rules with another controller.
Are we a processor?
☐ We are following instructions from someone else regarding the processing of personal information.
☐ We were given the personal information by a customer or similar third party, or told what information to collect.
☐ We do not decide to collect personal information from individuals.
☐ We do not decide what personal information should be collected from individuals.
☐ We do not decide the lawful basis for the use of that information.
☐ We do not decide what purpose or purposes the information will be used for.
☐ We do not decide whether to disclose the information, or to whom.
☐ We do not decide how long to retain the information.
☐ We may make some decisions on how information is processed, but implement these decisions under a contract with someone else.
☐ We are not interested in the end result of the processing.
What’s new under the GDPR?
Controllers have new information protection obligations under the GDPR. Also, in a change from previous legislation, processors now have statutory obligations in their own right under the GDPR.
Individuals and supervisory authorities (such as the ICO) can hold both controllers and processors to account if they fail to comply with their responsibilities under the GDPR.
The GDPR includes explicit requirements directed at joint controllers.
What are ‘controllers’ and ‘processors’?
Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal information.
If two or more controllers jointly determine the purposes and means of the processing of the same personal information, they are joint controllers. However, they are not joint controllers if they are processing the same information for different purposes.
Processors act on behalf of, and only on the instructions of, the relevant controller.
How do you determine whether you are a controller or processor?
You should be able to differentiate between controllers, joint controllers and processors so you understand which GDPR obligations apply to which organisation.
To determine whether you are a controller or processor, you will need to consider your role and responsibilities in relation to your information processing activities.
If you exercise overall control of the purpose and means of the processing of personal information – ie, you decide what information to process and why – you are a controller.
If you don’t have any purpose of your own for processing the information and you only act on a client’s instructions, you are likely to be a processor – even if you make some technical decisions about how you process the information.
What does it mean if you are a controller?
Controllers shoulder the highest level of compliance responsibility – you must comply with, and demonstrate compliance with, all the information protection principles as well as the other GDPR requirements. You are also responsible for the compliance of your processor(s).
Supervisory authorities (such as the ICO) and individuals may take action against a controller regarding a breach of its obligations.
Controllers in the UK must pay the information protection fee, unless they are exempt.
What does it mean if you are a processor?
Processors do not have the same obligations as controllers under the GDPR and do not have to pay a information protection fee. However, if you are a processor, you do have a number of direct obligations of your own under the GDPR.
Both supervisory authorities (such as the ICO) and individuals may take action against a processor regarding a breach of those obligations.
What does it mean if you are joint controllers?
Joint controllers must arrange between themselves who will take primary responsibility for complying with GDPR obligations, and in particular transparency obligations and individuals’ rights. They should make this information available to individuals.
However, all joint controllers remain responsible for compliance with the controller obligations under the GDPR. Both supervisory authorities and individuals may take action against any controller regarding a breach of those obligations.
- Relevant provisions in the GDPR - See Articles 4(7), 4(8), 5(1), 5(2), 26, 28 – 36 and Recitals 28, 79, 81 – 83
- Further reading – ICO guidance -Contracts and liabilities between controllers and processors
- In more detail – ICO guidance -We have produced more detailed guidance on controllers and processors