Controllers and joint controllers
A controller is defined as:"the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data."
Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data. If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.
A controller can be a company or other legal entity (such as an incorporated partnership, incorporated association or public authority), or an individual (such as a sole trader, partner in an unincorporated partnership, or self-employed professional). Some controllers may be under a statutory obligation to process personal data. Regulation 6 of the GDPR and LED Implementing Regulations 2018 says that anyone who is under such an obligation and only processes data to comply with it will be a controller.
Some organisations don’t have a separate legal personality of their own – for example, unincorporated associations such as sports clubs or voluntary groups. In this case you should review the document which sets up and governs the management of that organisation. This document should set out which individual(s) manage the organisation on behalf of its members and are likely to act as the controller or joint controllers, and how contracts may be entered into on behalf of the organisation.
For convenience you may identify the organisation as a whole as the controller (e.g. you may use the club or group name in your privacy information for individuals). But for legal purposes the controller will actually be the relevant members who make the decisions about the processing by the organisation.
Controllers make decisions about processing activities. They exercise overall control of the personal data being processed and are ultimately in charge of and responsible for the processing. They shoulder the highest level of compliance responsibility and must comply with, and demonstrate compliance with, all the data protection principles as well as the other requirements of the law. They are also responsible for the compliance of any processor engaged.
A GP surgery uses an automated system in its waiting room to notify patients when to proceed to a GP consulting room. The system consists of a digital screen that displays the waiting patient’s name and the relevant consulting room number, and also a speaker for visually impaired patients that announces the same information.
The GP surgery will be the controller for the personal data processed in connection with the waiting room notification system because it is determining the purposes and means of the processing.
A firm uses an accountant to do its books. When acting for his client, the accountant is a controller in relation to the personal data in the accounts. This is because accountants and similar providers of professional services work under a range of professional obligations that oblige them to take responsibility for the personal data they process. For example, if the accountant detects malpractice while doing the firm’s accounts he may, depending on its nature, be required under his monitoring obligations to report the malpractice to the police or other authorities. In doing so, an accountant would not be acting on the client’s instructions but in line with his own professional obligations and therefore as a controller in his own right.
If specialist service providers are processing data in line with their own professional obligations, they will always be acting as the controller. In this context, they cannot agree to hand over or share controller obligations with the client.
Joint controllers must arrange between themselves who will take primary responsibility for complying with data protection obligations, and in particular transparency obligations and individuals’ rights. They should make this information available to individuals.
However, all joint controllers remain equally responsible for compliance with the controller obligations and both supervisory authorities and individuals may take action against any controller regarding a breach of those obligations.