Archived Gibraltar Regulatory Authority website

ARE YOU A DATA CONTROLLER OR DATA PROCESSOR?

The Data Protection Act 2004 defines data controller and data processor as follows:

"Data controller" means a natural or legal person, public authority, agency or any other body who or which, alone or jointly with others determines the purposes and means of the processing of data;

"Data processor" means:

(a) not being a data controller, or employee of a data controller;

(b) a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller.

A data controller is the legal entity who controls and is responsible for the processing of personal information. Being a data controller carries with it serious legal responsibilities, so you should be quite clear if these responsibilities apply to you or your organisation. If you are in any doubt you should consult your legal adviser or seek the advice of the Data Protection Commissioner.

In essence, you are a data controller if you keep or process any information about living people (data subjects).

In practice, to find out who controls the contents and use of personal information kept you should ask the following questions:-

Who decides what personal information is going to be kept?

Who decides the use to which the information will be put?

If your organisation controls and is responsible for the personal data which it holds, then your organisation is a data controller. If you hold the personal data but some other organisation decides and is responsible for what happens to the data then that other organisation is the data controller and your organisation is a data processor (see below). Note however that a data processor may also be a data controller for other types of data held (e.g. its own employees' personal details for the purposes of payroll).

Types of Data Controller

Data controllers can be legal entities such as individuals, companies, government departments and voluntary organisations. Examples of cases where the data controller is an individual include general practitioners, pharmacists and sole traders where these individuals keep personal information about their patients, clients, etc.

Group companies and subsidiary companies

It is common in the business world for a holding company to own one or more subsidiary companies. It should be noted that each company, whether it is a parent company or a subsidiary, is a distinct legal entity with its own set of data protection responsibilities. Each company within a group may therefore be a data controller in respect of the personal data which it is processing and for which it is legally responsible, and it is necessary for each data controller to assess the legal implications of disclosures of personal data to other group companies.

Data Processors

As mentioned above, if you process personal data, but are not responsible for, or control the personal data, then you are a data processor. Examples of data processors include payroll companies, accountants and information service companies all of which could process personal data on behalf of someone else.

It is possible for one company or person to be both a data controller and a data processor, in respect of distinct sets of personal data. For example, a payroll company would be the data controller in respect of the data about its own staff, but would be the data processor in respect of the staff payroll data it is processing for its client companies.

A data processor must be distinct from the data controller for whom they are processing the personal data. An employee of a data controller, or a section or unit within a company which is processing personal data for the company as a whole, is not a data processor. However, someone who is not employed by the data controller, but is contracted to provide a particular data processing service (such as a tax adviser or accountant) would be a data processor.

Responsibilities of data processors

In contrast to data controllers, data processors have a very limited set of responsibilities under the Data Protection Act. These responsibilities concern the necessity to keep personal data secure from unauthorised access, disclosure, destruction or accidental loss. In addition, all data processors "whose business consists wholly or partly in processing personal data on behalf of data controllers" are required to register with the Data Protection Commissioner.