Controller and Processor under DPA

Controller under DPA:

A controller is one who determines the purposes for which and the means by which personal data is processed. 

General obligations of the Controller:  

Under chapter 4 section 56 of the DPA it is mandated that the controller must implement appropriate technical and organisational measures to ensure, and to be able to demonstrate, that the processing of personal data complies with the requirements of this Part. The measures so taken to be implemented to comply with the duty mentioned u/s. 56 (1) and such implementation is mandated to be reviewed and updated when necessary. 

Who all are joint controllers?

Joint controllers are those who are two or more in number and both are competent authorities to determine the purposes and means of processing personal data and for the purposes of this part they will be known as joint controllers. The joint controller must determine their respective responsibilities for compliance by means of an arrangement between them and that should be done in a transparent manner. Such arrangement must designate the controller which is to be the contact point of the data subject.

Processor under DPA:

Processor is a person (natural, legal, public authority, agency, or any other body) which processes personal data on behalf of the controller. The controller may use only a processor who provides guarantees to implement appropriate technical and organisational measures that are sufficient to secure that the processing will-

  1. meet the requirements of this Part, and
  2. ensure the protection of the rights of the data subject.

It is must to remember that sub-processing is not allowed without the prior written authorisation of the controller and such authorisation may be specific or general. When the controller has received the general written authorisation from the processor, the processor must inform the controller if the processor proposes to add to the number of sub-processor engaged by it or to replace any one of them (in order to enable the controller to have the opportunity to object to the proposal.  

The processing by the processor must be governed by a contract in writing between the controller and processor and the processing must set out the followings-

  1. the subject matter and duration of the processing
  2. the nature and purposes of the processing 
  3. the types of personal data and categories of data subject involved
  4. the obligation and rights of the controller and processor

Picture Credit- https://legalitgroup.com/