What the law says:
""data controller" means ... a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed"
What it means:
A data controller must be a “person” recognised in law which decides how and why personal data is processed.
Data controllers will usually be businesses or organisations, but can be individuals, for example self-employed consultants or tradesmen, or individuals who are undertaking a specific role, such as an MHK or local authority commissioner, and other corporate and unincorporated bodies of persons. Each Government department is also a data controller.
Data controllers must ensure that any processing of personal data for which they are responsible complies with the Act. Failure to do so risks enforcement action, even prosecution, and compensation claims from individuals. Even though some organisations give a certain individual responsibility for data protection compliance, that individual will be acting on behalf of the organisation, and the organisation will remain the data controller.
A person is only a data controller if, alone or with others, they “determine the purposes for which and the manner in which any personal data are processed”. In essence, this means that the data controller is the person who decides how and why personal data is processed. When deciding who is a data controller, the greatest weight is placed on 'purpose' – identifying whose decision to achieve a “business” purpose has led to personal data being processed.
In relation to data controllers, the term 'jointly' is used where two or more persons (usually organisations) act together to decide the purpose and manner of any data processing. The term in common applies where two or more persons share a pool of personal data that they process independently of each other.
Please note that we often refer to data controllers of all types as 'organisations' in our guidance, literature and on our website.