Controllers and processors
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/controllers-and-processors/
Are we a controller?
We decided to collect or process the personal data. | |
We decided what the purpose or outcome of the processing was to be. | |
We decided what personal data should be collected. | |
We decided which individuals to collect personal data about. | |
We obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller. | |
We are processing the personal data as a result of a contract between us and the data subject. | |
The data subjects are our employees. | |
We make decisions about the individuals concerned as part of or as a result of the processing. | |
We exercise professional judgement in the processing of the personal data. | |
We have a direct relationship with the data subjects. | |
We have complete autonomy as to how the personal data is processed. | |
We have appointed the processors to process the personal data on our behalf. |
Are we a joint controller?
We have a common objective with others regarding the processing. | |
We are processing the personal data for the same purpose as another controller. | |
We are using the same set of personal data (eg one database) for this processing as another controller. | |
We have designed this process with another controller. | |
We have common information management rules with another controller. |
Are we a processor?
We are following instructions from someone else regarding the processing of personal data. | |
We were given the personal data by a customer or similar third party, or told what data to collect. | |
We do not decide to collect personal data from individuals. | |
We do not decide what personal data should be collected from individuals. | |
We do not decide the lawful basis for the use of that data. | |
We do not decide what purpose or purposes the data will be used for. | |
We do not decide whether to disclose the data, or to whom. | |
We do not decide how long to retain the data. | |
We may make some decisions on how data is processed, but implement these decisions under a contract with someone else. | |
We are not interested in the end result of the processing. |
We do not decide what personal data should be collected from individuals.
We capture specific information relating to email sender/recipient name/email for traceability /auditing and for enabling round trip communication with those individuals in some cases.
We do not decide the lawful basis for the use of that data.
The lawful basis of processing this data is due to our Legitimate Interest in performing email processing, see https://thepluginpeople.atlassian.net/wiki/spaces/JEMHC/pages/3510763577 .
What does it mean if you are a processor?
Processors do not have the same obligations as controllers under the UK GDPR and do not have to pay a data protection fee. However, if you are a processor, you do have a number of direct obligations of your own under the UK GDPR.
Both the ICO and individuals may take action against a processor regarding a breach of those obligations.
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/contracts-and-liabilities-between-controllers-and-processors-multi/
Our role
Our role in providing JEMHC to our customers is therefore a Processor.