Q&As

Where personal data is stored by a subsidiary company, but accessed by its parent company, must you issue a communication to the data subjects on how their personal data will be used/processed? And what are the requirements for group companies who wish to share customer data (including sensitive information) under the DPA 1998?

read titleRead full title
Published on LexisPSL on 13/06/2017

The following Information Law Q&A provides comprehensive and up to date legal information covering:

  • Where personal data is stored by a subsidiary company, but accessed by its parent company, must you issue a communication to the data subjects on how their personal data will be used/processed? And what are the requirements for group companies who wish to share customer data (including sensitive information) under the DPA 1998?
  • The data controller
  • Data sharing
  • Privacy notices

In conducting our research, we have focussed on the position under the Data Protection Act 1998 (DPA 1998) and we have not commented on the position under the forthcoming General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, which will be directly applicable from 25 May 2018.

The data controller

The first key point will be to establish who the data controller is. A 'data controller' is any person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed; DPA 1998, s 1(1).

A data controller may be an individual, a collection of individuals, or other legal person (such as a company or limited liability partnership). There may also be more than one data controller in respect of a particular set of personal data, in which case, the data controllers may be 'joint data controllers' or 'data controllers in common', for example:

  1. joint data controllers—where two or more controllers act together to decide the purpose and manner of processing, and

  2. data controllers in common—where two or more controllers share a pool of personal data that they process independently of each other

For more analysis on the differences between data controller types, see Q&A: What is the difference between a joint data controller and a data controller in common?, though

Related documents:

Popular documents