A data controller is any person, authority organisation or other body which either on its own or jointly with another party determines the purposes and means of processing personal data. In simple terms, the controller is responsible for ensuring the control of the personal data.
Relationships with Data Processors
When a controller passes on responsibility for processing to a data processor it will retain control through the contract that it puts in place to manage this relationship.
Relationships with Joint Controllers
If the controller shares this responsibility jointly with another controller then it is advisable that a contract is in place (but not mandatory), but there should be a data sharing agreement in place to ensure that the data subject’s have complete transparency surrounding the relationship and the processing of their data.
An example of a Joint Controller might include the relationship between a franchisor and its franchisee, where processing of data is shared across platforms and responsibilities.
Relationships with Controllers in Common
There are circumstances where multiple controllers process data and a contractual agreement does not exist, for example an employer sharing personal tax details with a tax authority. In these cases the statutory obligation overrides and it is unlikely that any further due diligence would be undertaken.