(1) The definition of "controller" in Article 4(7) of the UK GDPR has effect subject to -
(a) subsection (2),
(b) section 209, and
(2) For the purposes of the UK GDPR, where personal data is processed only -
(a) for purposes for which it is required by an enactment to be processed, and
(b) by means by which it is required by an enactment to be processed,
the person on whom the obligation to process the data is imposed by the enactment (or, if different, one of the enactments) is the controller.