Guide to Data Protection Act for Data Controllers

What is a data controller?

If you exercise control over personal data by making decisions about why and how personal data is handled, you are the data controller.

The DPA defines a “data controller” as:

the person who, alone or jointly with others determines the purposes, conditions and manner in which any personal data are, or are to be, processed and includes a local representative

As a data controller, you are responsible for applying the requirements of the DPA, applying the data protection principles to the personal data which you process (or which are processed by someone else on your behalf), and cooperating with investigations of the Ombudsman. 

As a data controller you are also responsible for ensuring that the data protection principles are complied with in relation to personal data being processed on your behalf (by a data processor).

A data controller can be any legal person, i.e. an individual, corporation, either aggregate or sole, or any club, society, association, public authority or other body, of one or more persons.

Where you, as a data controller, decide together with another organisation about how and why personal data is processed, you will be a joint data controller together with the other organisation. This means that both entities are jointly responsible for complying with their obligations under the DPA. While not explicitly mentioned in the DPA, it is best practice for joint controllers to enter into a joint controllership agreement, which will lay out the parties’ respective responsibilities. It should be noted that the information requirements under the first data protection principle (fair and lawful processing) will mean that the essence of the joint controllership agreement should be communicated to the individual.

Previous Next