DATA CONTROLLER

An independent ‘Data Controller’ (DC) is a person who ‘controls and is responsible’ for the keeping and the use of personal information on computer files.

DATA PROTECTION PRINCIPLES

Concerning Article 5 of the General Data Protection Regulation (GDPR) 2018, there are six core principles introduced under the new regulations which govern the processing of personal data. These require that personal data must be:

  1. Processed lawfully, fairly and in a transparent manner;
  2. Collected for a specified, explicit and legitimate purpose;
  3. Adequate, relevant and limited to what is necessary for the purpose for which it is processed;
  4. Accurate and, where necessary, kept up to date;
  5. Kept in a form which permits identification of data subjects (people, from whom personal data is collected, processed and stored) for no longer than is necessary for the purposes for which the personal data are processed; and
  6. Processed in a manner that keeps data secure against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Furthermore, Article 5 requires that Data Controllers must comply with the six principles and demonstrate compliance with the said principles.

Who is the Data Controller?

The GDPR defines a Data Controller as:

‘a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing’. For example, a business obtaining customer or employee details, or a school, college or university holding student records. We have a proven track record for advising and assisting all types of specialist care establishments to meet their obligations in the Care Home sector.

The role of a Data Controller is to determine who shall be responsible for compliance with Data Protection rules and how Data Subject’s can exercise their rights. The Data Controller manages data, as they instruct the processor. The Data Controller must decide the purpose for which data is required and what data is necessary to fulfil that purpose.

A Data Controller must act on their own autonomy. A party constrained in how they can handle data is less likely to be a Data Controller, but could be a data processor.

The two questions to consider when identifying a Data Controller are:

Who is the Data Processor?

  1. Why is the data being processed?
  2. Who proposed that data is processed?

It is important to mention the Data Processor and to explain as to whom that refers.

The GDPR defines a Data Processor as:

‘A natural or legal person that processes personal data on behalf of the data controller’.

A Data Processor would be a separate business entity (whether a company, partnership or a sole trader) serving the interests and carrying out the instructions of the Data Controller in its processing of the personal data. InfoTrace can and will remove the stress of this role for you, and you can Contact Us for a bespoke tailor-made service and an agreed affordable rate (no hidden fees ever). 

The role of a Data Processor may include storing data, retrieving data, carrying out marketing activities, or providing security for data. InfoTrace will do this for you and can even assess and create policies, processes and procedures for you and your business (including Care Homes).

Scenario

  1. Jolly Jolly Care Homes For One and All Limited (fictitious company for this scenario only) has entered into a contract with InfoTrace Limited, providing clear instruction to InfoTrace Limited to send an email advertising their new range of Care Home Bed Spaces.
  2. They provide InfoTrace Limited with an email template and a spreadsheet of personal email addresses (all obtained with consent as per the GDPR).
  3. Jolly Jolly Care Homes For One and All Limited outline the spreadsheet is only to be used to send this advertising email.
  4. InfoTrace Limited are bound by Jolly Jolly Care Homes For One and All Limited instructions.

In this scenario, InfoTrace Limited is a data processor and Jolly Jolly Care Homes For One and All Limited is the data controller.

 What is a lawful basis under the GDPR?

It is important to understand the that the lawful basis is held within the GDPR 2018.

For a business to process data under the GDPR, it must have a valid lawful basis. The GDPR identifies six lawful bases for processing personal data, and these are:

  1. Consent.
  2. Contract – processing is necessary for a contract with an individual.
  3. Legal obligation – processing is necessary to comply with the law.
  4. Vital interests – processing is necessary to protect an individual’s life.
  5. Public task – processing is necessary for a business to perform a task in the public interest or for its official functions, and the task or function has a clear basis in law; and
  6. Legitimate interest – the processing is necessary for a business’ legitimate interests or the legitimate interests of a third party (unless there is a good reason to protect the data subject’s data, which overrides those legitimate interests).

The lawful basis must be determined before data is processed. This must be correct at the first time or request. Businesses are unable to simply swap to a different legal basis at a later date.

If the business decides to change the purpose for processing the personal data collected, the lawful basis relied upon will require complete review. Depending on the extent of the change, namely whether it is compatible with your initial purpose, businesses might be able to rely on the same lawful basis, Unless the lawful basis is consent, in which case this will need to be refreshed. 

 InfoTrace provides affordable and bespoke services for your business.

InfoTrace Data Controller Service Contact Us

If your business requires full details on the GDPR, then we believe that you should Contact Us for details regarding training (please see InfoTrace Training).

Scroll to Top