Assessing controller or processor status
Consider the different processing activities you undertake - depending on the circumstances you may be a controller for some processing and a processor for others. For example, most organisations will be controllers in respect of the administration of their own staff, even if a processor is engaged to carry out that function. A processor offering staff administration services for other controllers will also still be a controller for the administration of its own staff.
The following checklists set out indicators as to whether you are a controller, a processor or a joint controller for any particular activity. The more boxes you tick, the more likely it is that the processing falls within the relevant category.
☐ decide to collect or process the personal data.
☐ decide what the purpose or outcome of the processing is to be.
☐ decide what personal data should be collected.
☐ decide which individuals to collect personal data about.
☐ obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller.
☐ process the personal data as a result of a contract with the data subject.
☐ data subjects are our employees.
☐ make decisions about the individuals concerned as part of or as a result of the processing.
☐ exercise professional judgement in the processing of the personal data.
☐ have a direct relationship with the data subjects.
☐ have complete autonomy as to how the personal data is processed.
☐ appoint processors to process the personal data on our behalf.
☐ have a common objective with others regarding the processing.
☐ process the personal data for the same purpose as another controller.
☐ use the same set of personal data (e.g. one database) for this processing as another controller.
☐ design the process with another controller.
☐ have common information management rules with another controller.
☐ only follow contractual instructions from someone else regarding the processing of personal data.
☐ are given the personal data by a customer or similar third party, or told what data to collect.
☐ do not decide to collect personal data from individuals.
☐ do not decide what personal data should be collected from individuals.
☐ do not decide the lawful basis for the use of that data.
These lists are not exhaustive, but illustrate the differences between the controller’s and the processor’s roles. In certain circumstances, and where allowed for in the contract, a processor may have the freedom to use its technical knowledge to decide how to carry out certain activities on the controller’s behalf. However, it cannot take any of the overarching decisions, such as what types of personal data to collect or what the personal data will be used for. Such decisions must only be taken by the controller.