Press "Enter" to skip to content

Whose Decision is it Anyway?

Controller/Processor determinations

(a.k.a how a data protection anorak spends their leisure time)

Update: Sorry that the tool is not currently working – My supposedly ‘unlimited’ free Zingtree account has expired, and they want £984 a year for me to renew it, which I can’t afford. Currently looking for alternatives – if you know of one, hit me up! I’ll post a downloadable text version of the tool very soon.

Following a lot of pre-GDPR kerfuffle online about Data Controller/Data Processor relationships (and the varying degrees to which these are direly misunderstood), I spent a geeky Sunday night putting together a decision tree tool which should – hopefully – help people who are getting confused/panicked/deeply weary of the search for answers.

It’s not intended to be legal advice, it’s not formal advice from me as a consultant and it’s not guaranteed to be absolutely 100% perfect for every possible scenario. It’s designed for the low-hanging fruit, the straightforward relationships (like standard commercial supply chain) rather than the multi-dimensional nightmare data sharing behemoths one tends to find in the public sector.

Anyway, here it is. Enjoy. If you like it, please tell others where to find it. If you have constructive criticism (that’s not “oh you missed out this incredibly niche complex scenario that would only ever happen every 100 years”) please tell me.

The Tool


Here are also some useful links:

Who’s in Control?


  1. John John 2018-05-14

    With or without permission?

    • Miss Info Geek Miss Info Geek 2018-05-14

      I’m not sure what you’re asking – permission from/by whom? For what?


    Love what you do Rowenna. I got an interesting question the other day in terms of a data controller/employer and 3rd party processors relating to employment. I’ve thought long and hard about it, but would love to hear your take. So an office secretary books a hotel for a member of staff who is travelling on business. In doing so, she submits the employees name, mobile number and email address. Does the employer as controller need to have a 3rd party processing agreement with the hotel? Or is it enough for the employer to advise the employee in the privacy policy that their details may be processed by 3rd parties under legitimate interests?

    • Miss Info Geek Miss Info Geek 2018-05-16

      H’mm, possibly legitimate interests or more likely the basis of a contract to which the data subject is party. The hotel wouldn’t be a Data Processor as their purposes and means of processing will be very different to the employing organisation’s. Separate Data Controllers, I think.

  3. Chris Chris 2018-05-14

    In the Instance of B2B businesses – how would you describe the relationship whereby there is a company (company A) that processes data and sales, and delivers a consumable product to company B.

    However Company A processes data about some of Company B employees.

    Company B – is stating that they are a controller as the data is passed to Company A (however initially acquired via third party brokers) and that Company A is a processor to company B.

    My Understanding is that Company A is a controller and company B has no bearing on Company A, as any PII has been gathered from third parties, and if company B has provided any PII this was the individual doing so,

    • Miss Info Geek Miss Info Geek 2018-05-16

      Don’t get hung up on B2B – that’s only relevant when looking at unsolicited direct marketing by electronic means. The question is impossible to answer without taking a detailed look at the data flows, purposes and circumstances. If Company A merely has a list of contacts at Company B for the purpose of administering the business relationship then they are likely separate Data Controllers.

  4. John John 2018-05-15

    In the third down slide above is not clear. I assume it is with or without permission. Thanks nice app.

    • Miss Info Geek Miss Info Geek 2018-05-16

      I’m sorry, not sure what you mean by ‘3rd down slide above is not clear” – could you elaborate?

  5. John John 2018-05-15

    Is on page after page with slide and choice “my organization is processing personal information.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Hello. I use privacy-friendly analytics (Matomo) to track visits to my website. Can I please set a cookie to enable this tracking? I’m afraid that various plugins and content I have on the site here also use cookies, so a ‘yes’ to cookies is a ‘yes’ to those too. Please have a look at my Privacy Info page for more info about these, and visit my advice page for tips on protecting your privacy online