A data controller decides how and why personal data or sensitive personal data should be used. Data controllers are normally organisations like companies, partnerships, charities and so on although individuals, for example self-employed consultants, can also be data controllers.

A data processor acts on the data controller’s behalf to process and use the data. Again, a data processor can be any type or organisation or even an individual.

For example, if a company collects personal data from customers to compile a customer list, the company will be a data controller. If the company then passes the customer list to a marketing agency and instructs the latter to prepare an advertising mailshot, the marketing agency will be a data processor.

Previous data protection rules applied largely to data controllers, however the GDPR introduce new obligations on data processors. If you think this may affect you, our team can guide you through your new duties and any changes you need to make.