Data Controller meaning

This Checklist outlines the main factors a controller would ordinarily consider when undertaking an audit with a view to assessing whether a potential or current processor of personal data is suitable under the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR). For more detail about controllers’ obligations and engaging processors within the UK GDPR regime, see the following Practice Notes: The UK General Data Protection Regulation (UK GDPR) Key definitions under UK data protection law Supply chains under data protection law—arrangements between controllers and processors Audits of processors Although processors subject to the UK GDPR have distinct duties under the legislation, controllers remain accountable for a processor’s handling of personal data carried out under their instructions and on their behalf. Under the accountability principle of the UK GDPR, the controller is responsible for, and must be able to demonstrate, compliance with the data protection principles in Article 5(1) UK GDPR—which include lawfulness, fairness and transparency; purpose limitation;...

This Checklist Use this Checklist when a customer appoints a supplier to process data on its behalf—for instance, a payroll or payment processing business operating under a stand-alone agreement. It addresses common issues encountered during the negotiation and preparation of data processing services agreements, covering both personal data and other data (eg statistical). The Checklist also contemplates agreements that involve processing personal data under the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (the UK GDPR). For an introduction to the UK GDPR, see Practice Note: The UK General Data Protection Regulation (UK GDPR). Where personal data is in scope, the assumption is that the supplier acts as processor (and not as controller) for the customer, who is the sole controller. For additional guidance on the terms ‘controller’ and ‘processor’, see Practice Note: Determining roles under data protection law in commercial transactions between businesses (processor, independent controller or joint controller). It is also assumed that both parties are acting in the course of business...

Flowchart This Flowchart outlines the key questions for deciding international jurisdiction in employment matters—namely, the appropriate forum for bringing proceedings and identifying the court and/or tribunal competent to hear the claim—applicable to proceedings commenced on or after 1 January 2021. For additional guidance on jurisdiction in employment disputes from 1 January 2021 onwards, consult Practice Note: International jurisdiction—the Civil Jurisdiction and Judgments Act 1982 in employment cases as set out therein...

In this issue: E-commerce Public procurement Sale and supply of goods Supply chain Daily and weekly news alerts New and updated content Dates for your diary Trackers Latest Q&A E-commerce EU GDPR obligations and platform liability (X v Russmedia) The operator of an online marketplace where a listing appeared was held to have breached its duties under the EU General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), even though it removed the advert swiftly, in under an hour after receiving a takedown request. The court concluded it acted as a joint controller of the sensitive personal data within the advert and should, before publication, have put in place measures to: (i) detect adverts containing sensitive personal data; (ii) confirm that the advertiser is the individual whose sensitive personal data features in the advert and, if not, ensure the data subject’s explicit consent has been obtained; and (iii) implement safeguards to stop any further...

How has the exemption available for controllers under the GDPR in relation to liability to compensate data subjects changed? Under the earlier Data Protection Directive 95/46/EC (Article 23(2)), where a person was entitled to damages from a controller due to unlawful processing, the controller could rely on a potential exemption if it was not responsible for the event that caused the loss. Recital 55 offered two illustrations of situations for which the controller would not bear responsibility: a mistake by the data subject, and a case of force majeure The language of these provisions lacked clarity, and the concept of ‘force majeure’ has no consistent definition across EU legal systems (it does not even carry a settled meaning in English law, depending heavily on contractual wording). Unsurprisingly, this carve-out, and the reference to force majeure, was therefore loosely carried across into national implementing legislation. For example, the Data Protection Act 1998 (DPA 1998) gave a controller a defence in claims for compensation...

Does the GDPR apply to unincorporated associations, such as sports clubs, and who is responsible for compliance by an unincorporated association with the GDPR? Who is ‘controller’ or ‘processor’? Yes—the General Data Protection Regulation, Regulation (EU) 2016/679, applies to unincorporated associations in the same way it applies to companies or partnerships. The GDPR’s definitions of a ‘controller’ and a ‘processor’ encompass both natural persons and legal persons. The challenge for unincorporated associations is that they are not legal persons. They have no separate legal personality; they exist by contract, and neither statute nor case law sets out clear, definitive rules for what their governing provisions must contain. What truly matters under the GDPR is not the category of person or entity undertaking the processing, but the overall activity of collecting and using personal data. The rationale is straightforward: the law should not be capable of being avoided, and there must always be an accountable individual or body answerable to data subjects. In that respect, there is no distinction. Determining...

STOP PRESS: On 19 June 2025, the Data (Use and Access) Bill secured Royal Assent, transforming into the Data (Use and Access) Act 2025 (DUAA 2025) and taking partial effect on that same date. Provisions of DUAA 2025 dealing with issues such as handling data subject access requests, and granting the power to make further regulations, commenced immediately on 19 June 2025. Other elements, relating to notices issued by the Information Commissioner and certain facets of law enforcement processing, began to apply on 19 August 2025 (being two months from the date of Royal Assent). The bulk of DUAA 2025’s measures will only commence once additional regulations, by way of statutory instruments, are made and brought into force. Parts 5 and 6 of DUAA 2025 operate to revise and update areas of UK data protection and ePrivacy law within the UK, including the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations...

ARCHIVED: This archived Practice Note outlines and summarises the data protection regime in place before 25 May 2018 and describes the position under the Data Protection Act 1998 (DPA 1998). It is supplied for background purposes only and therefore is not kept up to date. The Note deals specifically with the DPA 1998’s applicability and territorial reach. When assessing whether the DPA 1998 applies, consider the following key points: the nature of the data being processed—the DPA 1998 strictly applies only to processing of personal data; other information (eg statistical material or data that does not relate to an identifiable person) is outside scope where the data controller is established—the DPA 1998 applies only to data controllers established in the UK who process personal data in the context of that establishment...

Practice Note This Practice Note sits within the Data Protection Negotiation Guide (Guide). This section covers negotiating clauses on erasure and handback of personal data once processing ends in agreements between controllers and processors that are subject to the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR). For an introduction to the Guide, see Practice Note: Data protection negotiation guide—controller: processor—introduction. This Practice Note uses a number of common abbreviations, which are defined separately in that introduction. As explained in Practice Note: Data protection negotiation guide—controller: processor—introduction: the parties may commercially apportion the costs and expenses of fulfilling these obligations between themselves there are notable similarities between the UK GDPR and the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), and the Guide concentrates on the position under the UK GDPR. For information about the background to the UK GDPR and its relationship with the EU GDPR, see Practice Note: The UK General Data Protection Regulation (UK GDPR)—Summary of...

Danish SCCs A set of Standard Contractual Clauses (SCCs) designed to meet Article 28(3) of the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), specifically addresses contractual arrangements between controllers and processors and was formally issued by the Danish data protection supervisory authority (the Danish SCCs). Their release followed an opinion from the European Data Protection Board (EDPB). The Danish SCCs are distinct from SCCs that concern cross-border international personal data transfers under Chapter V of the EU GDPR...

Within this precedent, the following extra defined terms are used: ‘Agreement’, ‘Business Day’, ‘Charges’, ‘Customer’, ‘Services’, ‘Supplier’ and ‘Supplier Personnel’. They are not specific to data processing and are assumed defined separately in the relevant agreement...

Note These provisions are prepared on the basis that the applicable contract is a business-to-business arrangement, with the supplier acting as processor for a customer in the role of controller, in relation to the processing of personal data governed by the United Kingdom General Data Protection Regulation (UK GDPR), Assimilated Regulation (EU) 2016/679. The terms ‘supplier’ and ‘customer’ (in place of ‘processor’ and ‘controller’) are used to simplify incorporation into commercial contracts. The drafting also relies on the additional defined terms ‘Agreement’, ‘Business Day’, ‘Customer’, ‘Data Protection Laws’, ‘Data Subject’, ‘GDPR’ and ‘Supplier’, which are assumed to be defined appropriately elsewhere in the relevant agreement. It is further assumed that ‘GDPR’ refers to UK GDPR and that ‘Data Protection Laws’ includes UK GDPR. These provisions can also be adapted for circumstances where the EU General Data Protection Regulation (EU GDPR), Regulation (EU) 2016/679, applies... 1 Definition (to be incorporated into relevant part of the agreement) 1.1 Representative •...

In any specific context, a controller handling personal data or information must assess if the processing activity complies with what is now the applicable Assimilated Regulation (EU) 2016/679, the UK General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018 (DPA 2018)...

We have concentrated specifically on sections 108–110 of the Digital Economy Act 2017 (DEA 2017) and sections 132–133 of the draft Data Protection Bill 2017 (DPB 2017) for the purposes of this Q&A. Part III of the Data Protection Act 1998 (DPA 1998) obliges data controllers who handle personal data to notify the Information Commissioner of their processing for inclusion in the register maintained by the Information Commissioner’s Office (ICO). Controllers seeking to register must pay an applicable fee. For further details, consult the Data Protection (Notification and Notification Fees) Regulations 2000, SI 2000/188, and official guidance from the Information Commissioner...

To handle personal information in a lawful manner under the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, an employer must first identify a lawful basis before any personal data is processed. Among the lawful grounds listed in Article 6 of Regulation (EU) 2016/679, GDPR, is processing that is necessary for the purposes of legitimate interests pursued by the controller or a third party, unless those interests are outweighed by the data subject’s interests, rights or freedoms. The Information Commissioner’s GDPR guidance explains that, in relation to the legitimate interests condition, it is the most adaptable lawful basis for processing; however, data controllers should not presume it will invariably be the right choice. The GDPR guidance further notes that: The legitimate interests basis tends to be suitable where individuals would reasonably anticipate the use of their data and the privacy impact is minimal, or where there is a compelling rationale for the processing Data controllers relying on legitimate interests take on additional responsibility to consider and...