Guide to Data Protection Act for Data Controllers

What is a data processor?

If you process personal data on behalf of a data controller, and are a separate legal entity from the data controller, you are a data processor.

The DPA defines a “data processor” as:

any person who processes personal data on behalf of a data controller but, for the avoidance of doubt, does not include an employee of the data controller

As a data processor, you may process personal data which the relevant data controller has entrusted to you only in accordance with the data controller's instructions and the terms of a written agreement (a so-called data processing agreement), which forms the basis of your appointment as a data processor (see below at “Contracts between data controllers and data processors”).

As a data processor you may not process personal data received from the data controller for your own purposes or in any manner not in accordance with the data controller’s instructions. If you do so, you will become a data controller in your own right and you will bear all obligations of the data controller under the DPA.

Importantly, your role as a data processor or a data controller will depend on the actual decision-making regarding the personal data taking place between the parties, which should be reflected in the legal agreements. The assessment should be from a high-level perspective, taking the whole of the processing activity into consideration. 

Example

Within a group of companies, company A may legally have decision-making powers regarding the processing of personal data at company B. Factually, however, all decisions regarding the conditions, manners, and purposes of company B’s processing activities are taken at company B. While the legal arrangement may indicate that company A is the data controller, the actual decision-making taking place means that company B is the data controller.

 

Previous Next