The ICO exists to empower you through information.

Latest updates

29 September 2023 - We have updated the section on ‘What is a controller?’ to provide extra examples of organisations don’t have a separate legal personality of their own – for example, unincorporated associations such as sports clubs or voluntary groups, and who the controller is in such cases. 

In detail

What does the UK GDPR say about controllers and processors?

The UK GDPR draws a distinction between a ‘controller’ and a ‘processor’ in order to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility. The UK GDPR defines these terms:

controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

If you are a controller, you are responsible for complying with the UK GDPR – you must be able to demonstrate compliance with the data protection principles, and take appropriate technical and organisational measures to ensure your processing is carried out in line with the UK GDPR.

If you are a processor, you have more limited compliance responsibilities.

What is a controller?

The UK GDPR defines a controller as:

the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Controllers make decisions about processing activities. They exercise overall control of the personal data being processed and are ultimately in charge of and responsible for the processing.

Some controllers may be under a statutory obligation to process personal data. Section 6(2) of the Data Protection Act 2018 says that anyone who is under such an obligation and only processes data to comply with it will be a controller.

A controller can be a company or other legal entity (such as an incorporated partnership, incorporated association or public authority), or an individual (such as a sole trader, partner in an unincorporated partnership, or self-employed professional, eg a barrister).

However, an individual processing personal data for the purposes of a purely personal or household activity is not subject to the UK GDPR.

Example

A hospital uses an automated system in its waiting room to notify patients when to proceed to a consulting room. The system consists of a digital screen that displays the waiting patient’s name and the relevant consulting room number, and also a speaker for visually impaired patients that announces the same information.

The hospital will be the controller for the personal data processed in connection with the waiting room notification system because it is determining the purposes and means of the processing.

 

Example

A firm uses an accountant to do its books. When acting for his client, the accountant is a controller in relation to the personal data in the accounts. This is because accountants and similar providers of professional services work under a range of professional obligations that oblige them to take responsibility for the personal data they process. For example, if the accountant detects malpractice while doing the firm’s accounts he may, depending on its nature, be required under his monitoring obligations to report the malpractice to the police or other authorities. In doing so, an accountant would not be acting on the client’s instructions but in line with his own professional obligations and therefore as a controller in his own right.

If specialist service providers are processing data in line with their own professional obligations, they will always be acting as the controller. In this context, they cannot agree to hand over or share controller obligations with the client.

Some organisations don’t have a separate legal personality of their own – for example, unincorporated associations such as sports clubs or voluntary groups. In this case you should review the document which sets up and governs the management of that organisation. This document should set out which individual(s) manage the organisation on behalf of its members and are likely to act as the controller or joint controllers, and how contracts may be entered into on behalf of the organisation.

For convenience you may identify the organisation as a whole as the controller (eg you may use the club or group name in your privacy information for individuals). But for legal purposes the controller will actually be the relevant members who make the decisions about the processing by the organisation.

Example

A trustee receives a subject access request (SAR) by the beneficiary for the personal data it holds on them. Property is held in a trust for another person’s benefit. A trust is not a legal entity. Therefore, the controller will be the trustee (or trustees if there is more than one) who make decisions about the processing of personal data. In this case, the trustee as the controller is responsible for responding to the SAR.

If there is more than one trustee (as is often the case), and the trust receives a SAR, the trustees should check the trust deed. This might say whether the trustees act as joint controllers, or whether a single named trustee acts as the controller. The key thing to remember is that the trustee or trustees who make decisions about why and how to collect and use personal data who will be the controller (or joint controller).

In the case of a trust corporation, where a legal entity is created to be the trustee, rather than named individuals, it is the corporation itself that is likely to be the controller. This means that if the trust corporation receives a SAR, it is the organisation rather than any individuals that is responsible for responding to the request.

 

Example

An amateur sports club uses an electronic system to record details about members for admin purposes and it tracks their performance. The club receives a subject access request from one of its members. The club checks its governing document and notes that its chairperson is designated as the controller, as they manage the club on behalf of its members and who makes decisions about the processing of personal data. In this case the chairperson is legally the controller, although the club identifies the organisation as a whole as the controller in its privacy notice.

What is a joint controller?

Controllers can determine the purposes and means of processing alone, or jointly with others – as a joint controller. Article 26(1) of the UK GDPR states that:

Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers.

Joint controllers decide the purposes and means of processing together – they have the same or shared purposes. Controllers will not be joint controllers if they are processing the same data for different purposes.

What is a processor?

The UK GDPR defines a processor as:

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Processors act on behalf of the relevant controller and under their authority. In doing so, they serve the controller’s interests rather than their own.

Although a processor may make its own day-to-day operational decisions, Article 29 says it should only process personal data in line with a controller’s instructions, unless it is required to do otherwise by law.

If a processor acts without the controller’s instructions in such a way that it determines the purpose and means of processing, including to comply with a statutory obligation, it will be a controller in respect of that processing and will have the same liability as a controller.

A processor can be a company or other legal entity (such as an incorporated partnership, incorporated association or public authority), or an individual, for example a consultant.

Example

A gym engages a local printing company to produce invitations to a special event the gym is hosting. The gym gives the printing company the names and addresses of its members from its member database, which the printer uses to address the invitations and envelopes. The gym then sends out the invitations.

The gym is the controller of the personal data processed in connection with the invitations. The gym determines the purposes for which the personal data is being processed (to send individually addressed invitations to the event) and the means of the processing (mail merging the personal data using the data subjects’ address details). The printing company is a processor processing the personal data only on the gym’s instructions.

Employees of the controller are not processors. As long as they are acting within the scope of their duties as an employee, they are acting as an agent of the controller itself. They are part of the controller, not a separate party contracted to process data on the controller’s behalf.

What is a sub-processor?

A processor might wish to sub-contract all or some of the processing to another processor. For shorthand this is sometimes referred to as using a ‘sub-processor’, although this term is not taken from the UK GDPR itself.