Stay Legal UK

Are you a data controller or processor?

talking about personal data

It is vital that you understand your role regarding personal data to ensure compliance with the General Data Protection Regulation (GDPR). Your obligations under the GDPR will differ depending on whether you are a controller, joint controller, or processor. If you breach your obligations the Information Commissioner’s Office (ICO) can take legal action against you as a controller or processor under the GDPR. Individuals can also make a claim for damages and compensation against controllers and processors. The following will explain the difference between controller, joint controllers, and processors:


  • Make the decision to collect or process the personal data.
  • Decide what the purpose or outcome of the processing is to be.
  • Decides what personal data to collect.
  • Decides the individuals on which they collect personal data about.
  • Obtains a commercial gain or other benefit from the processing, except for any payment for services from another controller.
  • Process the personal data because of a contract held with the data subject.
  • The data subject may be an employee of the controller.
  • Make decisions about the data subject as part of or because of the processing.
  • Practice professional judgement in the processing of the personal data.
  • Have a direct relationship with the data subject.
  • Have complete autonomy as to how the personal data is processed.
  • Can select the processors to process the personal data.

Joint controllers:

  • Have a common objective with others in the relation to the processing.
  • Process the personal data for the same purposes as another data controller.
  • Share the same set of personal data with another controller for the processing such as one shared database.
  • Have designed the process with another data controller.
  • Share common information management rules with another data controller.


  • Follow instructions from another for the processing of personal data.
  • Are given personal data from a customer or similar third party or told what data to collect.
  • Do not decide to collect personal data from individuals.
  • Do not decide what personal data should be collected from individuals.
  • Do not decide the lawful basis for the use of personal data.
  • Do not decide what purpose the personal data will be used for.
  • Do not decide on whether to disclose the personal data, or to whom.
  • Do not decide on how long to keep the personal data.
  • Might make some decisions on how personal data is processed but implement those decisions under a contract with another person.
  • Are not interested in the end result of the processing.

Data protection is just one of many areas of law that a business needs to comply with. At Lawdit Stay Legal we have created a one stop shop solution to take away the stress of legal compliance. We will also put legal safeguards in place to assist and protect you and your business if a dispute were to arise. With several packages at different price points there is something for every business. There is no need to delay as we even offer a free initial consultation.

Stay legal logo large


More From Stay Legal

Share this with your network
Share on linkedin
Share on twitter
Share on facebook
Share on email
Share on whatsapp