The Data Protection (Jersey) Law 2018 (DPJL) defines ‘Controller’ as:
“Controller” means the natural or legal person, public authority, agency or other body that, whether alone or jointly with others, determines the purposes and means of the processing of personal data, and where those purposes and means are determined by the relevant law, the controller or the specific criteria for its nomination may be provided for by such law.
The key phrase in this definition is ‘determines the purposes and means of processing of personal data’. This responsibility ultimately sits with the Controller. Even if they outsource the decision making to a data processor, the Controller remains responsible for the processing of the personal data and ultimately in charge of the processing.
The second part of the definition refers to ‘where those purposes and means are determined by the relevant law’. By way of example in this context, a Controller may be required to maintain a register of shareholders and/or directors, and in some cases, identify the ultimate beneficial owner because they are required to do so by some other law / enactment. These provisions would cover personal data processed in this context.
The DPJL defines ‘Processor’ as:
“Processor” means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller, but does not include an employee of the controller.
In general terms, a Processor will perform a function on behalf of a Controller, but is not an employee of that Controller. It can only process data in accordance with the Controller’s instructions. Examples of this could be where a function of the business is outsourced to another company, such as human resources, finance or IT support.
In this context, the organisation will be providing services to the Controller, and thus processing personal data on behalf of the Controller as a ‘Processor’. The organisation remains the ‘Controller’. If a Processor deals with any of the information that has been provided by the Controller not in accordance with the Controller’s instructions, the Processor will become a Controller of that information in their own right. This is because it has added its own decision making into the process and is doing something with the information that it hadn’t been instructed to do by the Controller.
A Processor can sub-contract some or all of the work that it has been tasked with to a sub-processor’. (It can only do this with the say so of the Controller.)
Relationship between a Controller and a Processor
Article 19 of the DPJL requires that where there is a Controller/Processor arrangement, the Controller must have a legal contract with the Processor setting out the nature and purpose of the processing activities to be undertaken, the duration of the processing, the type of personal data to be processed and the categories of data subjects. It should also set out the obligations and rights of the Controller.
TIP: In practice, every company will be a Controller and/or Processor.