Data Controllers and Processors

You are a data controller if you can answer YES to the following question:-

    • Do you collect, hold and process personal information?
    • Do you determine how personal information collected should be processed?
    • Do you determine what personal information should be collected and or kept?


The Data Protection Act, 2012(Act 843) defines a "data controller" as “a person who either alone, jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed” .

The data controller is therefore the individual or legal person or body who controls and is responsible for the collection, keeping and use of personal information in computer systems or in manual files.

If you or your  organisation controls and has responsibility over  the personal information  it collects or holds, then you or your organisation (as the case may be) are a data controller. If in doubt or unsure about your status,  please contact the Commission.


You are a data processor if you can answer YES to the following questions;

    • Do you collect,  hold or process personal data, but do not exercise responsibility for or control over how the personal data is processed?
    • Do you have little or no freedom in the determination of   what the data processing should entail?

The Data Protection Act, 2012(Act 843) defines a “data processor” “as any person other than an employee of the data controller who processes the data on behalf of the data controller”. They only process data on the instruction of the data controller. Examples of data processors include payroll companies, accountants and market research companies their responsibility is to keep data from unauthorized access, disclosure, destruction and accidental loss.

It is possible for a person (legal person) to be both a data controller and a data processor, in respect of distinct sets of personal information.

If you or your organisation process the personal information, but some other individual or organisation decides and is responsible for how you process  that personal information, then the said individual or other organisation that determines how you process the personal information is the data controller, and your organisation is the "data processor"


Today, personal information such as names, telephone numbers, pictures, addresses, birth dates, medical reports, accounts, and credit card information and many others are collected by individuals or organizations and processed for various reasons. We rely on you or your organisation to use or divulge such personal information as intended and to keep it safe. The privacy and data protection rights of an individual must therefore be respected by those collecting and processing such information. Read more...