ico logo b polldaddy

Data controllers and data processors: what's the difference?

A bank contracts a market research company to carry out research. The bank’s brief specifies its budget and that it requires a satisfaction survey of its main retail services based on the views of a sample of its customers across the UK. The bank leaves it to the research company to determine sample sizes, interview methods and presentation of results. What is the research company?

An online retailer works in co-operation with a third-party payment company to process customers’ transactions. What is the payment company?

A courier service is contracted by a local hospital to deliver envelopes containing patients’ medical records to other health service institutions. The courier service is in physical possession of the mail but may not open it to access any personal data or other content. What is the mail delivery service?

A firm uses an accountant to do its books. What is the accountant?

A car hire company contracts a vehicle-tracking company to install devices in its cars and monitor them so that cars can be recovered if they go missing. They specify that the tracking company should track all the company’s cars and send back the location data to the hire company six hours after the end of the hire period, if the car has not been returned. What is the vehicle-tracking company?

A local authority uses a cloud provider to store data about its housing stock and residents, rather than holding the data on its own IT system. The cloud provider is also contracted to delete certain data after a particular period and to grant members of the public access to their own records via a secure online portal. It also hosts a residents’ discussion forum. What is the cloud provider?

A regulatory authority is required by an enactment to carry out certain functions, including the handling of complaints from members of the public who have environmental concerns. Given the large number of complaints it receives, the authority decides to outsource its complaints handling to a much larger regulatory authority with better logistical capacity. The first regulatory authority will no longer provide these services itself and will second most of its staff to the larger authority. The two authorities put an agreement in place saying that, in effect, all data protection compliance responsibilities have passed over to the larger authority. What is the larger authority provider?