Determining roles under data protection law in commercial transactions between businesses (processor, independent controller or joint controller)
Determining roles under data protection law in commercial transactions between businesses (processor, independent controller or joint controller)

The following Information Law practice note provides comprehensive and up to date legal information covering:

  • Determining roles under data protection law in commercial transactions between businesses (processor, independent controller or joint controller)
  • Key guidance
  • Meaning of controller
  • Meaning of ‘personal data’ and ‘processing’
  • Meaning of ‘natural or legal person, public authority, agency or other body’
  • Meaning of ‘determine’
  • Meaning of ‘alone or jointly with others’
  • Meaning of ‘purpose’
  • Meaning of ‘means’
  • Whether both the purpose AND means must be determined
  • More...

It is vital that natural persons and organisations involved in the sharing or other processing of personal data (referred to simply as ‘parties’ in this Practice Note) understand and identify their roles (eg processor, independent controller or joint controller) under data protection law. The role each party plays will establish the obligations of each party at law and allows the parties to identify the contractual and other risk mitigation steps they should take.

On 31 January 2020, the UK ceased to be a member of the EU and EEA. Given the extensive data flows between the EEA and UK, equivalent EEA data protection laws will remain of particular interest to UK practitioners.

In relation to the subject matter of this Practice Note, there is great similarity between:

  1. the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) (which was applicable under UK laws until the end of the Brexit implementation period at 11 pm UK time on 31 December 2020 and remains applicable in the EEA), and

  2. the United Kingdom General Data Protection Regulation, Retained Regulation (EU) 2016/679 (UK GDPR) (applicable under UK laws from the end of the Brexit implementation period and largely copied from the EU GDPR)

Therefore, this Practice Note addresses equivalent requirements under both the UK GDPR and EU GDPR to assist UK practitioners who may need to consider the position under either

Popular documents