Data controller

A data controller is an organisation that has full authority to decide how and why personal data is to be processed, and that has the overall responsibility for the data. This includes deciding on use, storage and deletion of the data.

The University as data controller

When the University decides that it wishes to share the personal data it holds with another organisation we are acting as a data controller, as we have the authority to take this decision.

Receiving organisation as data controller

The receiving organisation may also become a data controller. This will depend on whether it will have the authority to decide how and why the data will be stored, used and deleted. If the receiving organisation has considerable discretion in this area, it is probably a data controller.


Passing information, such as the destinations of leavers, to HESA for analysis is done as a data controller-to-data controller transfer. This is because HESA is a separate organisation and will be using the data for their own purposes, which the University will not be involved in or have control over.

If the University were to retain control, this would be a data controller-to-data processor transfer.