Controller and processor - GDPR basics

The terms "controller" and "processor" are central to the GDPR. Anyone who is a controller or processor is subject to the corresponding obligations under the GDPR.

But when exactly are you a controller or processor and what are the consequences?

Responsible

The definition of the controller can be found in Art. 4 No. 7 GDPR. Accordingly, the controller is any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Processing of personal data decides. To be a controller, you do not have to collect or process the data yourself, but it is sufficient to determine the purposes and means.

Who is responsible may be determined by law, but otherwise this is to be understood functionally: The extent to which actual actions are taken by the actor in question must be considered. 

If decisions are made in a company about the purposes and means of data processing, however, it is not the individual employee who is the controller, but the company as a whole. If an individual natural person (e.g. the employee) acts, it must therefore always be examined whether the action is attributable to the person himself or to the organization for which he works (e.g. the company).

The person who is the controller is accountable under Article 5 II of the GDPR. He is therefore responsible for ensuring that the data protection principles from Art. 5 I GDPR are demonstrably complied with.

A special feature arises in the case of joint responsibility. According to Art. 26 GDPR, joint controllers can exist if two or more controllers determine the purposes and means of processing. Here, it is crucial that the processing is actually carried out jointly. This is the case if common purposes are pursued and the processing is only possible because all controllers cooperate in it. With regard to the integration of the Facebook Like button into a website, the ECJ has affirmed a joint responsibility of the website operator and Facebook. In the same way, however, several controllers can be jointly involved in a processing operation without being jointly responsible. This is the case if a pure exchange of data takes place without common purposes and means being established.

In practice, joint responsibility may exist especially when the processing of one entity is not possible or useful without the processing of the other entity.

If there is joint responsibility, the controllers involved must specify in an agreement pursuant to Art. 26 I GDPR which of them assumes which obligations under data protection law, such as information obligations. This agreement must be transparent, i.e. show the actual relationships and functions vis-à-vis data subjects. Pursuant to Art. 26 III GDPR, the data subject may nevertheless turn to any of the data controllers when asserting his or her rights.

Legally independent companies are always to be regarded as separate controllers, which is particularly important within a group of companies. However, those responsible for individual parts of a group of companies are protected by recital 48 of the GDPR a legitimate interest in the exchange of personal data within the Group.

Processor

The processor is defined in Art. 4 No. 8 GDPR as any natural or legal person, public authority, agency or other body which personal data on behalf of the controller processed. It must therefore be someone other than the controller and the person must be acting on behalf of the controller.

The processor is not itself the controller. It acts solely on the instructions of the controller. For compliance with the data protection regulations the controller is still responsible. However, if the processor disregards its mandate and determines the purposes and means of processing itself, it is deemed to be the controller in this respect (Art. 28 X GDPR).

It must be measured on a case-by-case basis how much leeway the processor may still have in processing despite being bound by instructions. If he has too much personal responsibility, he ultimately becomes the controller.

In practice, a commissioned processor exists when technical support activities and data processing operations are outsourced to external service providers. Typical cases of commissioned processing are, for example, file destruction, storage of data by cloud services or processing of data in call centers.

If the processor is commissioned to perform personal data disclosed, it is also the recipient pursuant to Art. 4 No. 9 GDPR.