Data Controller Vs. Data Processor

The Data Protection Act requires that all Data Controllers and Processors be registered.

The Act defines a "data controller" as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data; A "data processor" on the other hand means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller. A processor is under the instructions of a controller.

"Personal data" is any information relating to an identified or identifiable natural person and such a person becomes a data subject once this information is held and processed by a data processor or controller. A controller determines the purposes and means of the processing of personal data while a processor uses the data for purposes of and under directions of the controller. The processor cannot process personal data unless as directed by the data controller.

An example of how this Controller/Processor relationship arises if an online shopping platform eg, Jumia. A user will log into the system and hand over their personal data, which includes their name, email address, ID Number, Bank details and residential address for delivery of the items purchased. The controller will require this information in order to perform the service they are selling to the user. By collecting that information, Jumia becomes a data controller. Jumia may then procure the services of Sendy motorcycles who are then contracted to do the deliveries to clients. Sendy accesses information held by Jumia for purposes of deliveries for Jumia, and it is therefore a Data processor and must be registered as such.

An entity can be both a controller and processor and should in that case be registered as both. For instance, in the above case, Sendy has other operations outside of it’s contract with Jumia which operations involve collection of client data. Sendy being in the logistics business will ordinarily collect client data including name, identity number, office address, home address, email address and mobile number. All this is data which obviously identifies the user of the Sendy app (personal data) and therefore Sendy will therefore qualify as both a data controller and a data processor.
Other than registration, a data controller is required to take measures to ensure the safety of the data, and that the data is held and processed in accordance with the Data Protection Act. A processor is not only bound by the limits of processing set out by the controller, but they are also required to process the information in accordance with the law. While the controller and the processor are required to conduct Data Protection Impact Assessments (DPIAs) as and when necessary, especially in high risk situations. The data processor is also required to implement internal measures to ensure compliance and support the controller in implementation of data privacy measures.

While making the application for registration, the data processor or controller shall disclose the nature of personal data held, and the purpose for which it is held. Further, it shall disclose safety measures in place to protect such data.

Written by Elixa on Tuesday May 14, 2024

Permalink -

« Ethical Hacking (Bug Bounty Hunting): What Does It Mean? - Drafting Bug Bounty (Ethical Hacking) Agreements »