Guide to Data Protection Act for Data Controllers
- Change log
- Introduction
- How to use this guidance
- Key definitions
- Who does the DPA apply to?
- What is processing of personal data?
- What is a data controller?
- What is a data processor?
- What information does the DPA apply to?
- Data Protection Principles
- First Data Protection Principle - Fair and lawful processing
- Second Data Protection Principle - Purpose limitation
- Third Data Protection Principle - Data minimization
- Fourth Data Protection Principle – Data accuracy
- Fifth Data Protection Principle - Storage limitation
- Sixth Data Protection Principle – Respect for the individual’s rights
- Seventh Data Protection Principle - Security – integrity and confidentiality
- Eighth Data Protection Principle - International transfers
- Legal basis for processing
- Sensitive personal data
- Individual rights
- Personal data breaches
- Exemptions
- National Security
- Crime, government fees and duties
- Health
- Education
- Social Work
- Monitoring, inspection or regulatory function
- Journalism, literature or art
- Research, history or statistics
- Information available to public by or under enactments
- Disclosures required by law or made in connection with legal proceedings
- Personal, family or household affairs
- Honours
- Corporate finance
- Negotiations
- Legal professional privilege and trusts
- Contracts between data controllers and data processors
- Questions or comments?
What is a data processor?
If you process personal data on behalf of a data controller, and are a separate legal entity from the data controller, you are a data processor.
The DPA defines a “data processor” as:
As a data processor, you may process personal data which the relevant data controller has entrusted to you only in accordance with the data controller's instructions and the terms of a written agreement (a so-called data processing agreement), which forms the basis of your appointment as a data processor (see below at “Contracts between data controllers and data processors”).
As a data processor you may not process personal data received from the data controller for your own purposes or in any manner not in accordance with the data controller’s instructions. If you do so, you will become a data controller in your own right and you will bear all obligations of the data controller under the DPA.
Importantly, your role as a data processor or a data controller will depend on the actual decision-making regarding the personal data taking place between the parties, which should be reflected in the legal agreements. The assessment should be from a high-level perspective, taking the whole of the processing activity into consideration.
Example
Within a group of companies, company A may legally have decision-making powers regarding the processing of personal data at company B. Factually, however, all decisions regarding the conditions, manners, and purposes of company B’s processing activities are taken at company B. While the legal arrangement may indicate that company A is the data controller, the actual decision-making taking place means that company B is the data controller.
Previous Next