When applying GDPR or DPA there are two key parties, controllers and processors. Organisations can be controllers, processors or both.

Controller

A controller is a person, public authority, agency or other body which alone, or jointly with others, determines the purposes and means of processing personal data.

Processor

A processor is a person, public authority, agency, or other body which processes personal data on behalf of the controller

Under GDPR controllers are responsible for ensuring that all contracts with processor are compliant. While processors have a legal obligation to maintain records of PII data and ensure their processing is compliant.

‍