Data Protection Commissioner
Data Protection Commissioner

Are you a "data controller"?

A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files. Being a data controller carries with it serious legal responsibilities, so you should be quite clear if these responsibilities apply to you or your organisation. If you are in any doubt, or are unsure about the identity of the data controller in any particular case, you should consult your legal adviser or seek the advice of the Data Protection Commissioner.

In essence, you are a data controller if you can answer YES to the following question:
  • Do you keep or process any information about living people?

 

In practice, to find out who controls the contents and use of personal information kept, you should ask the following questions:
  • who decides what personal information is going to be kept?
  • who decides the use to which the information will be put?

If your organisation controls and is responsible for the personal data which it holds, then your organisation is a data controller. If, on the other hand, you hold the personal data, but some other organisation decides and is responsible for what happens to the data, then that other organisation is the data contoller, and your organisation is a "data processor" (see below).

Types of Data Controller

Data controllers can be either individuals or "legal persons" such as companies, Government Departments and voluntary organisations. Examples of cases where the data controller is an individual include general practitioners, pharmacists, politicians and sole traders, where these individuals keep personal information about their patients, clients, constituents etc.

Group companies and subsidiary companies

It is common in the business world for a holding company to own one or more subsidiary companies. If personal data is flowing within the group of companies, who is the data controller? In answering this question, it should be noted that each company, whether it is a parent company or a subsidiary, is a distinct legal person with its own set of legal and data protection responsibilities. Each company within a group may therefore be a data controller in respect of the personal data which it has obtained and for which it is legally responsible; and it is necessary for each data controller to assess whether disclosures of personal data to other group companies are permissible. It is only in rare cases that two or more companies may properly exercise legal or de facto control and responsibility for a given set of personal data. In such cases, the companies are regarded as joint data controllers.

Responsibilities of data controllers

All data controllers must comply with certain important rules about how they collect and use personal information.

Some data controllers must register annually with the Data Protection Commissioner, in order to make transparent their data handling practices.

Data Processors

As mentioned above, if you hold or process personal data, but do not exercise responsibility for or control over the personal data, then you are a "data processor". Examples of data processors include payroll companies, accountants and market research companies, all of which could hold or process personal information on behalf of someone else. "Cloud" providers are also generally Data Processors.

It is possible for one company or person to be both a data controller and a data processor, in respect of distinct sets of personal data. For example, a payroll company would be the data controller in respect of the data about its own staff, but would be the data processor in respect of the staff payroll data it is processing for its client companies.

A data processor is distinct from the data controller for whom they are processing the personal data. An employee of a data controller, or a section or unit within a company which is processing personal data for the company as a whole, is not a "data processor". However, someone who is not employed by the data controller, but is contracted to provide a particular data processing service (such as a tax adviser, or a telemarketing company used to manage customer accounts) would be a data processor. A subsidiary company owned by a data controller to process personal data on its behalf (for example to manage the payroll) is a distinct legal person and is a data processor.

Responsibilities of data processors

Unlike data controllers, data processors have a very limited set of responsibilities under the Data Protection Act. They must only process personal data on the instructions of the Data Controller. These responsibilities concern the necessity to keep personal data secure from unauthorised access, disclosure, destruction or accidental loss. In addition all data processors, whose business consists wholly or partly in processing personal data on behalf of data controllers who are required to register, are also required to register with the Data Protection Commissioner as a data processor.

Further Information

More detailed guidance on this subject is contained in Opinion 1/2010 issued by the Article 29 Working Party.


More about the requirement to keep data secure