HomeInsightsInformation Commissioner’s Office publishes detailed guidance on controllers and processors

Article by

The guidance is designed to help organisations decide whether they are acting as a controller, processor or joint controller when processing personal data. The ICO says that it recognises that this exercise can be difficult. The guidance includes examples and explains the roles and responsibilities of each. It also outlines the governance issues that are relevant to them.

Setting out the differences between controllers and processors, the guidance explains that, essentially, controllers make decisions about processing activities and exercise overall control of the personal data being processed. They are ultimately in charge of and responsible for the processing.

Some controllers may be under a statutory obligation to process personal data. Section 6(2) of the Data Protection Act 2018 says that anyone who is under such an obligation and only processes data to comply with it will nonetheless be a controller.

As for joint controllers, Article 26(1) of the GDPR states that: “Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers”.

The guidance explains that joint controllers decide the purposes and means of processing together: they have the same or shared purposes. Controllers will not be joint controllers if they are processing the same data for different purposes.

As for processors, the GDPR defines “processor” as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

The guidance explains that processors act on behalf of the relevant controller and under their authority. In doing so, they serve the controller’s interests rather than their own. If a processor acts without the controller’s instructions in such a way that it determines the purpose and means of processing, including in order to comply with a statutory obligation, it will be a controller in respect of that processing and will have the same liability as a controller.

The guidance then sets out various examples demonstrating the differences between controllers and processors.

As for applying the principles in practice, the guidance recognises that the definition of a processor can be difficult to apply in the complexity of modern business relationships. In practice, it says, there is a scale of responsibility in how organisations work together to process personal data. The key is to determine each party’s degree of independence in determining how and in what manner the data is processed as well as the degree of control over it. Again, the guidance provides various examples.

Finally, the guidance sets out what it means to be a controller and a processor and what each needs to do in order to comply with the law. To access the detailed guidance in full, click here.