Step Up For Oracle Our Director is walking 10KM every day this August for Oracle Head and Neck Cancer UK. Follow the walk & donate →
Tremark guide to data controller and processor roles when instructing investigators Tremark guide to data controller and processor roles when instructing investigators

A Tremark Guide for Legal Professionals

Controller, Processor or Joint Controller?

It looks like paperwork pedantry until something goes wrong. Whether your investigator is a controller, a processor or a joint controller decides who owes which duties, what your contract must say, and who answers when a data subject or the ICO comes calling. This guide untangles the three roles in plain English, using the examples the sector's own ICO-approved Code relies on.

30+ Years' Experience
ABI Members
ISO 27001 & 9001
Law Society Linked
UK & International
The Guide

Ten Questions That Settle Who Holds Which Role

Data protection roles are decided by facts, not labels. That single principle, confirmed in the ABI's ICO-approved Code of Conduct, explains most of the confusion between law firms and their investigators. Work through these ten sections and you will be able to classify any instruction correctly, paper it properly, and explain the position to your compliance team without breaking stride.

The Three Roles

What the Labels Actually Mean

Sections one to five define each role and show where a law firm and its investigator typically sit, using real instruction types as examples.

1

The three roles in plain English

A controller determines the purposes and the means of processing: the why and the how. Controllers are in charge, and they are accountable for the whole operation, including work done for them by processors.

A processor handles personal data on a controller's behalf, following documented instructions. A processor can still make day-to-day operational choices, such as which software to use, provided the instructions are detailed enough for the controller to verify compliance.

Joint controllers are two or more parties who decide the purposes and means together. Each remains fully answerable to individuals and to the ICO, but they must agree, transparently, who handles which controller duty. One crucial rule sits above all three definitions: the facts of the processing decide the role. You cannot contract your way into a label the reality does not support.

2

Where your law firm sits

A law firm is a controller of the personal data in its client matters. It decides why that data is processed, litigation, advice, a transaction, and broadly how. Instructing an agent does not change that; it extends the processing chain.

So the live question is never whether your firm is a controller. It is what the investigator becomes when you pass them the file: your processor, an independent controller, or a joint controller alongside you. That depends entirely on how much genuine decision-making the instruction leaves to them.

It helps to think in terms of discretion. Tight, mechanical instructions keep the investigator in processor territory. Broad objectives that rely on their professional judgement push them towards controller or joint controller status, and the sector's Code says that is where investigators typically sit for at least part of most engagements.

3

When your investigator is a processor

The Code's clearest processor example is one of ours: serving statutory demands. The client supplies names and addresses, and instructs the agent to attend, verify identity and serve. The agent decides neither purpose nor means; it executes. That is processing on behalf of a controller.

Address verification against a defined source works the same way. If a client says check these addresses against the electoral roll and report matches, and nothing more, the investigator is a processor even while choosing its own software and secure delivery method, because those operational choices sit inside detailed instructions.

Two things follow. First, an Article 28 agreement is mandatory, in writing, with the specific clauses the UK GDPR lists. Second, the moment the agent steps outside those instructions and starts deciding things for itself, the analysis changes. Which brings us to the next section.

4

When your investigator becomes a controller

Investigation is judgement work. The Code lists the decisions that tip an agent into controller territory: choosing whether to collect data at all, which sources to use, whose data to gather, whether to follow a lead, what to disclose and how long to retain material. Make those calls, and you are determining purpose and means.

Its worked example is instructive. An agent tracing a debtor knocks on a door, senses the debt story does not add up, and pursues a fresh line of enquiry on the spot, new subject, new searches, no time to phone the client. Exercising that much discretion, the agent is likely acting as a controller or joint controller for that processing.

Retention is another quiet trigger. An investigator who keeps case material beyond the client's instructions because litigation is reasonably in prospect is making a controller's decision about that data, and the Code says so explicitly. None of this is a problem. It simply has to be recognised and papered correctly.

5

Joint controllership: deciding together

Joint controllership arises when client and investigator shape the processing together. The Code gives two versions. In one, a law firm and an agent sit down and agree what information to obtain from an accident victim, how to obtain it and what it will be used for: purposes and means decided jointly.

In the other, more common version, the client gives broad instructions, investigate this, and the agent makes the detailed decisions about data, sources and methods. The client has sufficiently influenced the processing by selecting the agent and setting the objective; the agent has determined the detail. The Code treats that as joint controllership too.

Joint controllers must record, transparently, who will handle which controller obligation, especially individuals' rights and transparency. An engagement letter can do this. What no arrangement can do is limit an individual's ability to enforce their rights against either party in full.

Choose Wisely

Why an Accredited Partner Matters

Role confusion is a supply chain risk, and it is entirely avoidable. Tremark states its role in every engagement, backs it with the right agreement, and holds the audited certifications that make your due diligence file write itself.

ABI Member
Association of British Investigators
ISO 27001
Information Security
ISO 9001
Quality Management
FSQS Registered
Financial Services Qualified
Cyber Essentials
Certified
Law Society
Connected
WAD Member
World Association of Detectives
Getting It Right

Contracts, Tests and Common Failure Modes

Sections six to ten turn theory into practice: which agreement you need, a quick test you can apply to any instruction, and the mistakes that create liability.

6

Contracts: Article 28 terms or a data sharing arrangement?

The role dictates the document. Controller to processor requires a binding written contract containing the Article 28(3) mandatory clauses: process only on documented instructions, confidentiality, security measures, sub-processor authorisation, assistance with rights and breaches, and return or deletion at the end.

Controller to controller, including joint controllership, does not use Article 28 terms. Instead you need a written arrangement allocating responsibilities: who tells the individual what, who answers subject access requests, who notifies breaches, how queries get routed. For joint controllers this transparency arrangement is a legal requirement, not good practice.

A frequent real-world error is a firm sending its standard processor terms for every instruction, including ones where the investigator plainly exercises controller discretion. The mismatch does not change the legal reality; it just guarantees the paperwork contradicts it.

7

A practical test you can apply in two minutes

Before sending an instruction, run it through five quick questions. The pattern of answers tells you the role, and the Code Member on the other side should reach the same conclusion independently.

  • Purpose. Did we define exactly why this data will be processed, or does the agent shape the objective?
  • Scope. Have we specified whose data and which data types, or will the agent decide who falls within the enquiry?
  • Sources and methods. Are the sources fixed by us in detail, or chosen through the agent's professional judgement?
  • New information. If something unexpected surfaces, must the agent revert to us, or may they pursue it?
  • Retention. Do our instructions govern how long material is kept, or does the agent apply its own policy?

All answers on the left: processor, paper it with Article 28 terms. Answers drifting right: controller or joint controller, paper it with a responsibilities arrangement. Mixed answers are normal, one engagement can involve both roles for different activities.

8

When one firm holds both roles at once

Roles attach to processing activities, not to companies. The same investigator can be your processor for one activity and a controller for another, sometimes over the very same data, and the Code expects members to keep the two clearly separated.

Its example: an agent traces a debtor with wide discretion, acting as controller. The debt is sold, and the purchaser sends tightly specified trace instructions, naming systems and data points. For the new work the agent is likely a processor. Same subject, same agent, different role, because the facts changed.

Retention for audit shows the same split. An investigator holding closed-case data for its own quality or accreditation audits is controller of that retained copy, even if it was a processor when gathering it. Precision here is not pedantry; it determines which contract clause and which liability rules bite on which activity.

9

What goes wrong when roles are fudged

The classic failure is assuming our agent equals our processor. A subject access request arrives at the investigator, who assumes the law firm will deal with it; the firm assumes the reverse. The statutory deadline passes while everyone waits, and a routine request becomes a complaint.

Breaches expose the same gap under worse pressure. A processor must notify its controller without undue delay; a controller must assess and, where required, notify the ICO within 72 hours. If nobody established who is who, that clock runs out during the argument.

Liability follows the reality. Individuals can claim against a controller for its processing, and against a processor that breached its own duties or exceeded instructions. An investigator who quietly exceeded processor instructions has become a controller for that excursion, with full controller exposure, and the ICO can enforce against either party. Labels on paper rescue no one.

10

Getting it right at instruction stage

Everything above compresses into a few habits at the point of instruction. State the purpose in a sentence. Decide how much discretion you are granting, and say so. Expect the investigator's engagement letter to declare its role, the Code requires members to do exactly that before accepting work, and check it matches your own analysis.

Then attach the right paper: Article 28 terms for processor work, a responsibilities arrangement for controller or joint controller work, or both where an engagement mixes activities. Confirm the practical routings while you are there: where SARs go, who calls whom on a breach, what happens to the file at the end.

Done once, this becomes a template you reuse on every instruction. At Tremark the role conversation is built into onboarding, because a client who knows exactly where responsibility sits is a client whose evidence, and whose file, survives scrutiny.

Complete

Roles sorted. Contracts matched. Risk contained.

You now know more about data roles than most people who negotiate them. The payoff is practical: cleaner engagement letters, correct contracts and no surprises when a subject exercises their rights. Five questions below to make it stick.

Quick knowledge check

Five short questions on what you have just read. Takes about a minute, no sign up needed.

Your Testimonials

What legal professionals say about us

Trusted by solicitors, insolvency practitioners and insurers across the UK.

Common Questions

Frequently asked questions

Quick answers on controller and processor questions that come up when instructing investigative work.

No, but straightforward service work often is. Where the client supplies the documents, names and addresses and the agent simply attends and serves, the agent processes to instruction. If the same agent starts tracing a new address or making judgement calls about additional enquiries, those activities can move it into controller territory.
Only for the activities where the investigator genuinely acts as your processor. For work involving real investigative discretion you also need a controller-to-controller arrangement recording how responsibilities are shared. Many firms run both documents side by side, applied per activity.
The controller of the data in question. If the investigator was purely your processor, the request is yours to answer with their assistance. If they acted as a controller or joint controller, they carry their own obligation to respond, which is why the routing should be agreed in writing at the outset.
Each joint controller is fully answerable to individuals, who can claim against either for damage caused by the processing unless that party proves it was in no way responsible. Internal arrangements can apportion costs between the parties afterwards, but they cannot limit the individual's rights.
As your processor, only with your prior written authorisation, either specific or against agreed criteria, and the sub-processor must be bound by equivalent terms. As a controller, the investigator makes its own arrangements but remains accountable for them. Either way, a professional firm will tell you before extending the chain.
It should identify the role for each type of activity in plain terms, point to the governing agreement, and confirm the practical routes for subject access requests and breach notification. The ABI's ICO-approved Code requires members to communicate their role to clients before accepting instructions.
Controllers report qualifying breaches to the ICO, generally within 72 hours of becoming aware. Processors must tell their controller without undue delay so that clock can be met. If roles were never established, that timetable is the first thing to fail.
The role does not expand or shrink what is lawful to collect; lawful basis, necessity and proportionality govern that. What the role changes is who is accountable for those decisions and what paperwork must exist. Clean roles make the resulting evidence easier to defend, because the compliance trail behind it is coherent.

Get in touch

Tell us what you need and one of our team will come back to you promptly.

    Need documents served or a subject traced?

    Our nationwide network of agents and in-house investigations team support law firms, insolvency practitioners and insurers every day. Send over your instruction, or call us for a same-day quote.

    Get in touch

    Tell us what you need and one of our team will come back to you promptly.