Definition
Under the General Data Protection Regulation, the natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of personal data, bearing primary responsibility for compliance with GDPR obligations.
UK Context
Best Practices
- Maintain a comprehensive record of processing activities covering all employee data processing operations as required by Article 30
- Conduct data protection impact assessments before implementing new HR technologies or monitoring systems
- Establish clear data processing agreements with all HR software vendors, payroll providers, and other processors
- Implement processes for responding to employee data subject access requests within the one-month statutory timeframe
- Appoint a data protection officer where required and ensure they have genuine independence and adequate resources
Frequently Asked Questions
Is an employer always the data controller for employee data?
In most cases, yes. The employer determines the purposes and means of processing employee data — deciding what data to collect, why, and how to use it. However, in some situations there may be joint controllership, for example when a parent company and subsidiary jointly determine purposes for processing employee data across the group.
What is the difference between a data controller and a data processor?
A data controller determines the purposes and means of processing personal data, while a data processor processes data on behalf of and under the instructions of a controller. For example, an employer is the controller of payroll data, while the external payroll provider processing that data is typically a processor. The controller bears primary compliance responsibility.
What are the penalties for failing to meet controller obligations?
Administrative fines can reach up to 20 million euros or four per cent of total worldwide annual turnover, whichever is higher, for the most serious infringements. Lower-tier fines of up to 10 million euros or two per cent of turnover apply to other breaches. Data subjects can also claim compensation for material and non-material damage.