What is a data controller?
Quick answer: anyone who processes your personal data
By Bronwyn McCabe
Wed 5 August 2020
Data controllers are the overarching decision-makers of personal data, deciding what to do with data and who to take it from.
GDPR defines them as 'the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.'
Basically, they're directly responsible for deciding to collect and process personal data, what your personal data will be used for, and how it will be collected. Bear in mind that they can be an individual or large organisation, what matters is their control over personal data.
Are data controllers the same as data processors?
Crucially, data controllers are different to data processors. They have separate and specific requirements to follow, as per GDPR. Data controllers determine exactly what data processors do, with processors working on behalf of controllers. Typically, data processors are third parties external to the main organisation.
Data controllers are also required to pay the data protection fee in the UK, with some exemptions.
What are joint controllers?
Data controllers can act alone or with another organisation. Those that work alongside others are known as joint controllers, sharing the role of data controller to decide why and how data is collected and processed. They have a duty to make clear which of the two is the main party responsible for complying with GDPR. This doesn’t mean that the other is exempt – they are also responsible for compliance with GDPR obligations – but just that one takes on primary responsibility.
What rules do data controllers have to follow?
The seven data protection principles
GDPR outlines seven key data protection principles (Art. 5) that must be adhered to regarding personal data collection and processing. Data controllers, above all, must follow these seven guiding principles:
- Processed lawfully, fairly and in a transparent manner
- Collected and processed only for specified, explicit and legitimate purposes
- Adequate, relevant and limited to only what is necessary (also referred to as ‘data minimisation’)
- Accurate and up-to-date
- Kept in a way that allows identification of data subjects for no longer than necessary for processing
- Processed in a manner that ensures appropriate security
- Stored for no longer than necessary
What is the data protection fee?
Data controllers, unlike data processors, are required to pay the data protection fee as of 2018 Regulations. This fee can range from £40 to £2,900, generally depending on the size of the organisation and the number of hands your data might fall into within a company.
Not every data controller has to pay this fee, though. If your personal data is only collected and processed for the below uses, organisations are not required to pay:
- Advertising, marketing, or public relations
- Staff administration
- Accounts and records
- Personal, family, or household uses
- Maintaining public registers
- Judicial uses
- Processing personal information without an automated system
So, data controllers are any individual, organisation, government department or body that harbours your personal data. Data controllers are held to the highest legal responsibility and must adhere to GDPR obligations. If you have any concerns about any particular data controller, you can always raise this with theICO, as it's their job to make sure personal data is being handled responsibly. Or, if you'd like to find out what any company has recorded about you or ask them to delete it, send a request through Rightly below!