Data Controller, Data Processor and Data Subject

Key Points

  • Please see our summary GDPR card here
  • The Data Protection Act 2018 (the “DPA”) places a number of obligations on persons that control or process personal data about individuals. Persons controlling or processing personal data are known as data controllers or data processors under the DPA 2018. The individual to whom the personal data relate is known as the data subject.

Data controller and Data Processor 

Part 1 of the Data Protection Act does not provide a single definition of data controller or data processor but it signals the relevant Chapter or Part of the Act for the specific definition of these terms.

As a general rule the defintions of controller and processor mirror those of the General Data Protection Regulation, Article 4:

- 'controller' means the natural or legal person who alone or jointly with others determines the purpose and means of the processing of personal data; and

- 'processor' means the natural or legal person who processes personal data on behalf of the controller

 

Data subject

Article 4 of the GDPR provides that 'personal data' means any information relating to an identified or identifiable natural person (the 'data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to oneor more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.