Docaro

United Kingdom Controller Or Processor Decision Tree For Data Processing Agreements

Created:
This flowchart helps you decide whether a party is a controller or processor under UK data protection rules, making Data Processing Agreements clearer and easier to apply. For related templates and guidance, visit AI Generated British Data Processing Agreement.
DPA Role Decision Tool
17%

Do you decide why and how the personal data is processed?

Start with the specific processing activity, not the organisations as a whole. An organisation may be a controller for one activity and a processor for another. Identify who decides the purpose of the processing and the essential means, such as what personal data is used, why it is used, who it is shared with, and how long it is kept.
Disclaimer:
I understand and accept that the flowchart, questionnaire, decision tree, and any results, guidance, classifications, or recommendations provided by Docaro are generated automatically for general informational purposes only and do not constitute legal advice, legal representation, or any other professional advice. No solicitor-client, attorney-client, or other professional advisory relationship is created through use of this service. I acknowledge that the tool operates using simplified rules and assumptions and may not take into account all facts, circumstances, exceptions, legal requirements, or jurisdiction-specific considerations relevant to my situation. The results may be incomplete, inaccurate, outdated, or unsuitable for my particular circumstances. I agree that any outcome or recommendation provided by the tool is indicative only and should not be relied upon as a substitute for independent legal advice. I am solely responsible for verifying the accuracy and suitability of any information provided and for obtaining advice from a qualified legal professional where appropriate. To the fullest extent permitted by applicable law, Docaro disclaims all warranties and liability arising from the use of, or reliance upon, any information, outcome, recommendation, or guidance provided by this service.

Why Is The Controller Or Processor Decision Important In The UK?

Choosing the correct role is essential because UK GDPR duties depend on whether an organisation is a controller, processor, joint controller, or an independent controller sharing data with another controller.

When Do You Need A UK Data Processing Agreement?

A UK data processing agreement is required where a processor processes personal data on behalf of a controller. The agreement must include the mandatory terms in UK GDPR Article 28, including documented instructions, confidentiality, security, sub-processors, assistance, deletion or return of data, and audit rights.

What Happens If You Use The Wrong Agreement?

Using a processor DPA for a controller-to-controller or joint controller relationship can leave key duties uncovered. The parties may fail to give proper privacy information, choose the wrong lawful basis, allocate data subject request responsibilities incorrectly, or overlook international transfer requirements.

How Does The ICO View Controller And Processor Roles?

The UK Information Commissioner's Office expects organisations to assess the real facts of the processing, not just the labels used in a contract. A contract saying that a party is a processor will not be conclusive if that party actually decides its own purposes for using personal data.

What Should UK Organisations Do Before Signing A DPA?

  • Map the personal data, purposes, and processing activities.
  • Identify who decides the purposes and essential means.
  • Check whether any supplier acts only on documented instructions.
  • Use an Article 28 DPA for controller-to-processor processing.
  • Use a data sharing agreement for independent controller sharing where appropriate.
  • Use an Article 26 arrangement for joint controllers.

For further guidance, see the ICO guidance on controllers and processors and UK GDPR Article 28.

Controller or Processor Decision Tree for Data Processing Agreements in the United Kingdom
This flowchart provides a simplified overview of legal concepts and should not be relied upon as legal advice. Always consider the specific facts of your situation and seek professional advice where appropriate.
Want to Generate Your own Data Processing Agreement?
Docaro AI can help you write your own Data Processing Agreement for use in the United Kingdom in minutes.
Generate Your Document Now

FAQs

A UK controller or processor decision tree helps identify whether an organisation decides the purposes and means of processing personal data (controller) or processes it only on documented instructions (processor). This status affects GDPR obligations and the terms needed in a data processing agreement.
Show All FAQs

You Might Also Be Interested In

UK Data Processing Agreement Clause Types
Explore UK data processing agreement clause types for compliance, risk management, and clearer contract drafting.
Controller and Processor Obligations Matrix
UK guide to controller and processor obligations, helping clarify data protection duties, contracts, and compliance responsibilities.
Personal Data Categories for Processing Schedules
UK personal data categories for processing schedules to support compliant drafting, risk review, and data processing agreements.
Learn when a Data Processing Agreement is needed in the United Kingdom and how a simple flowchart can guide your compliance steps.
What Clauses Should a Data Processing Agreement Include in the United Kingdom?
Learn what clauses a Data Processing Agreement in the United Kingdom should include for UK GDPR compliance and risk management.