PART 4Intelligence services processing

CHAPTER 4Controller and processor

General obligations

102General obligations of the controller

Each controller must implement appropriate measures—

(a)to ensure, and

(b)to be able to demonstrate, in particular to the Commissioner,

that the processing of personal data complies with the requirements of this Part.

103Data protection by design

(1)Where a controller proposes that a particular type of processing of personal data be carried out by or on behalf of the controller, the controller must, prior to the processing, consider the impact of the proposed processing on the rights and freedoms of data subjects.

(2)A controller must implement appropriate technical and organisational measures which are designed to ensure that—

(a)the data protection principles are implemented, and

(b)risks to the rights and freedoms of data subjects are minimised.

104Joint controllers

(1)Where two or more intelligence services jointly determine the purposes and means of processing personal data, they are joint controllers for the purposes of this Part.

(2)Joint controllers must, in a transparent manner, determine their respective responsibilities for compliance with this Part by means of an arrangement between them, except to the extent that those responsibilities are determined under or by virtue of an enactment.

(3)The arrangement must designate the controller which is to be the contact point for data subjects.


(1)This section applies to the use by a controller of a processor to carry out processing of personal data on behalf of the controller.

(2)The controller may use only a processor who undertakes—

(a)to implement appropriate measures that are sufficient to secure that the processing complies with this Part;

(b)to provide to the controller such information as is necessary for demonstrating that the processing complies with this Part.

(3)If a processor determines, in breach of this Part, the purposes and means of processing, the processor is to be treated for the purposes of this Part as a controller in respect of that processing.

106Processing under the authority of the controller or processor

A processor, and any person acting under the authority of a controller or processor, who has access to personal data may not process the data except—

(a)on instructions from the controller, or

(b)to comply with a legal obligation.