What is a Data Controller?

Knowing whether you are a data controller, joint controller or processor is important as each role has different obligations.

Both processors and controllers can be sued by data subjects and the ICO can also take action against both. It is therefore essential that you clarify what your role is, ensuring you keep a record of what data processing functions you are undertaking.

It doesn’t matter how your role is defined in an agreement or what your title is, it is the reality of your situation that is important. If you determine the purposes and means of processing data then you will be considered to be a data controller.

Data Controller GDPR

A data controller under the GDPR is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”

The 2018 Data Protection Act adds that where personal data is processed owing to a specific enactment, then the person specified in the enactment will be the controller.

Processors are different from controllers; processors act on behalf of, and only on the instructions of, the relevant controller.

Controllers have the highest level of compliance responsibility within an organisation – and they are responsible for the compliance of all processors.

Data Protection Officers (DPO)

DPOs or Virtual Data Protection Officers (vDPOs) are distinct from data processors and controllers. A DPO is a person within an organisation who has responsibility for data processing compliance within that business or organisation. Most large businesses will be required to have a DPO, but some business even where they are not required, often opt to appoint a DPO to ensure proper data protection compliance.

Data Controller Examples

Examples of who might be a data controller are companies, partnerships, self-employed people, and sole traders – therefore the range of businesses that might be a controller are vast including lawyers, accountants, dentists, doctors, supermarkets, building contractors, banks, and other businesses, whether conducted online or not.

Governmental and non-governmental organisations will also be data controllers as will other organisations such as the police, hospitals, schools and local authorities.