The ICO exists to empower you through information.

This guidance discusses controllers and processors in detail. Read it if you have detailed questions not answered in the Guide, or if you need a deeper understanding. DPOs and those with specific data protection responsibilities in larger organisations are likely to find it useful.

If you haven’t yet read controllers and processors in brief in the Guide to Data Protection, you should read that first. It sets out the key points you need to know, along with practical checklists to help you comply.

This guidance will help you decide whether you are acting as a controller, processor or joint controller when processing personal data. We know this exercise can be difficult, so we have included examples to help you. The guidance also explains the roles and responsibilities of each, and outlines the governance issues that are relevant to them.

Contents

What are ‘controllers’ and ‘processors’?

How do you determine whether you are a controller or processor?

What does it mean if you are a controller? 

What does it mean if you are a processor?

What does it mean if you are joint controllers?