Q&As

Are there any particular issues that law firms should consider when determining whether they are Data Controllers as opposed to Data Processors as defined by the General Data Protection Regulation? Specifically, will law firms be data controllers for all work, or joint data controllers? Can they assume different roles (processor or controller) depending on the type of client/line of business they are engaged in? If so, what are the consequences?

read titleRead full title
Published on LexisPSL on 02/10/2017

The following Information Law Q&A provides comprehensive and up to date legal information covering:

  • Are there any particular issues that law firms should consider when determining whether they are Data Controllers as opposed to Data Processors as defined by the General Data Protection Regulation? Specifically, will law firms be data controllers for all work, or joint data controllers? Can they assume different roles (processor or controller) depending on the type of client/line of business they are engaged in? If so, what are the consequences?
  • Definitions of ‘data controllers’ in the current and future regimes
  • Governance and liabilities

Definitions of ‘data controllers’ in the current and future regimes

Data Protection Directive, Directive 95/46/ECUK’s Data Protection Act 1998 (DPA 1998)General Data Protection Regulation (GDPR)
Article 2(d):
'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for their nomination may be designated by national or Community law
Section 1(1):
‘data controller’ means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed
Article 4(7):
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are d
Related documents:

Popular documents