The Difference between Data Controller and Data Processor : Case Study of the United Kingdom

Main Article Content

Ornamol Arapol

Abstract

 Data controllers and data processors have their own obligations under the data protection regulations.  It is important to identify the difference between a data controller and data processor; especially when the breach of personal data occurs.  Who is responsible for the security of personal data or for a the data breach?  In this regard, the United Kingdom personal data regulator has set the tone to consider the difference between data controller and data processor in many aspects.  The major consideration to use for clarifying the difference between data controller and data processor is the power to control personal data, such as identifying what personal data should be collected, setting the purpose of using that personal data, as well as the method to process personal data.  In the meantime, data processors must strictly comply with the data controller’s recommendations about how to process personal data without any consideration of their own.  However, data processors can use their professional techniques to protect personal data.  In this matter, Thailand can adopt best practices of the United Kingdom to identify the difference between data processors and data controllers, which will help to reach the goal of personal data protection.

Article Details

How to Cite
Arapol, O. (2023). The Difference between Data Controller and Data Processor : Case Study of the United Kingdom. University of the Thai Chamber of Commerce Journal Humanities and Social Sciences, 43(2), 144–154. Retrieved from https://so06.tci-thaijo.org/index.php/utccjournalhs/article/view/261621
Section
Academic Article

References

ปิยะบุตร บุญอร่ามเรือง, ปิติ เอี่ยมจำรูญลาภ, ชวิน อุ่นภัทร, และฐิติรัตน์ ทิพย์สัมฤทธิ์กุล. (2561) Thailand Data Protection Guidelines 1.0: แนวปฏิบัติเกี่ยวกับการคุ้มครองข้อมูลส่วนบุคคล. สืบค้นจาก https://www.law.chula.ac.th/wp-content/uploads/2019/06/tdpg.pdf

พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562. (2562, 27 พฤษภาคม). ราชกิจจานุเบกษา, 136(69ก), 52-94.

Data Protection Act 2018 (UK). (2018, 25 May). UK Public General Acts, 2018 CHAPTER 12.

European Commission. (2023). What is a data controller or a data processor?. Retrieved March 7, 2023, from https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controllerprocessor/what-data-controller-or-data-processor_en

General Data Protection Regulation. (2016, 27 April). the Regulation (EU) 2016/679. L119, 4 May 2016,1–88.

Information Commission’s Office. (2014). Data controllers and data processors: what the difference is and what the governance implications are. Retrieved March 7, 2023, from https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-

processors-dp-guidance.pdf

Information Commission’s Office. (2022). What are ‘controllers’ and ‘processors’?.

Retrieved March 7, 2023, from https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/controllers-and-processors/what-are-controllers-and-processors/#1.

University of Oxford. (2023). Responsibilities under GDPR. Retrieved March 7, 2023, from https://researchsupport.admin.ox.ac.uk/policy/data/responsibilities