Suppliers: are we data processors or data controllers?

It is very important that schools understand whether their suppliers of products and services are data controllers or data processors. We are aware that there is a lot of confusion around this in schools and in some instances amongst school suppliers so we thought we would try to clarify the difference.

Why is it important?

If you, as the supplier is data controller, it is important that you handle data in accordance with the GDPR compliance standards, however, there is no liability on the school.

However, if you, as the supplier is a data processor and the school is the data controller, you share responsibility. In this instance, it is very important that you demonstrate to schools that you are managing their data appropriately and correctly.

How do we know which we are?

There is no clear-cut rule but here’s some pointers that we hope will help you and your client schools establish which you each fall under.

Suppliers as data controllers

All suppliers will be data controllers for some of your data.

You ask schools for the main contact’s name and details to allow them to do business with you. This is a B2B relationship in which you are the data controller and the school contact is the data subject. All responsibility of keeping that data safe is with you. The school contact can exercise their rights as a data subject to ask you about the data you hold on them, just as a parent can ask a school via a Subject Access Request (SAR).

Examples where suppliers are data controllers:

  • All suppliers – B2B information
  • Training organisation
  • Equipment and Food suppliers (unless schools give you individual names relating to special requests, i.e. the school supply medical information of a pupil or member of staff at school for specialised equipment/food request)
  • Shopping portals
  • etc, etc

Suppliers as data processors

The GDPR makes it clear that the responsibility of keeping data safe is equally shared between the data controller and the data processor.

If large quantities of data are leaving the school to go to another organisation you can be pretty sure that the school is the data controller and the receiving organisation (you) is the data processor. In addition, you are a data processor if the school is passing on information about individuals which is more than is needed for you to do business with the school.


  • Local authorities
  • Ofsted
  • Examination boards
  • DfE
  • Teachers pensions
  • HR and Payroll systems
  • School meals
  • etc, etc

In addition, there are commercial companies which are also your data processors.

  • Messaging and Parent Engagement systems
  • Payment and school meals’ services
  • Online safeguarding software
  • Teaching and learning portals which ask you to upload pupil or staff data
  • System integrators which pull data from 1 place and move it to another
  • etc, etc

Each supplier must provide schools with evidence of their compliance for the school’s data protection impact assessments (DPIA) or as part of their review of compliance and the school’s culture on use of data.

Suppliers that produce software to allow schools to process data

There are many systems in schools where the software processes data but it never leaves the premises. Whilst the suppliers in this instance are not data processors they have a responsibility to ensure their software can allow schools to meet compliance. We would expect these suppliers to provide schools with much of the evidence as if they were a data processor even though they do not process the data.

  • Local applications such as Word and Excel (not Office 365 Online), where data is held, often in templates or mark sheets
  • Local hosted MIS
  • Various teaching software loaded locally where children or staff enter their names or access is controlled by the computer login
  • etc, etc

It is important to note that if any of these suppliers change the system to an offering online or they undertake remote support and have access to the data, then they become a data processor.

Careful consideration is needed when schools approach you for information about your compliance, or how you support the school’s own compliance.  GDPRiS has already provided guidance about the questions schools are likely to ask you should you be a data processor, or where you can help schools with their compliance. This should help in your responses to schools.

If you are purely working on a B2B basis with schools then a simple statement pointing this out to the school, referring to your Privacy Notice and actions you have taken as a data controller to ensure compliance, should be sufficient.