The ICO exists to empower you through information.

This guidance discusses controllers and processors in detail. Read it if you have detailed questions not answered in the Guide, or if you need a deeper understanding. DPOs and those with specific data protection responsibilities in larger organisations are likely to find it useful.

If you haven’t yet read controllers and processors in brief in the Guide to Data Protection, you should read that first. It sets out the key points you need to know, along with practical checklists to help you comply.

This guidance will help you decide whether you are acting as a controller, processor or joint controller when processing personal data. We know this exercise can be difficult, so we have included examples to help you. The guidance also explains the roles and responsibilities of each, and outlines the governance issues that are relevant to them.

Contents

What are ‘controllers’ and ‘processors’?

What does the UK GDPR say about controllers and processors?

What is a controller?

What is a joint controller?

What is a processor?

What is a sub-processor?

How do you determine whether you are a controller or processor?

Why is it important to distinguish between controllers and processors?

How do you determine whether you are a controller or processor?

How does this apply in practice?

Can you be both a controller and a processor of personal data?

What does it mean if you are a controller? 

What are your responsibilities as a controller?

Can you be held liable for non-compliance?

What does it mean if you are a processor?

What are your responsibilities as a processor?

Can a processor be held liable for non-compliance?

Can you sub-contract to another processor?

How does using a sub-processor affect liability for non-compliance?

What does it mean if you are joint controllers?

What are the responsibilities of joint controllers?

Can a joint controller be held liable for non-compliance?