Controller and processor - GDPR basics
The terms "controller" and "processor" are central to the GDPR. Anyone who is a controller or processor is subject to the corresponding obligations under the GDPR.
But when exactly are you a controller or processor and what are the consequences?
The definition of the controller is found in Art. 4 No. 7 GDPR. Accordingly, the controller is any natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. In order to be the controller, you do not have to collect or process the data yourself, but it is sufficient that you determine the purposes and means.
Who is responsible may be determined by law, but otherwise this is to be understood functionally: The extent to which actual actions are taken by the actor in question must be considered.
If decisions are made in a company about the purposes and means of data processing, however, it is not the individual employee who is the controller, but the company as a whole. If an individual natural person (e.g. the employee) acts, it must therefore always be examined whether the action is attributable to the person himself or to the organization for which he works (e.g. the company).
The person who is the controller is accountable under Article 5 II of the GDPR. He is therefore responsible for ensuring that the data protection principles from Art. 5 I GDPR are demonstrably complied with.
A special feature arises in the case of joint responsibility. According to Art. 26 GDPR, joint controllers can exist if two or more controllers determine the purposes and means of processing. Here, it is crucial that the processing is actually carried out jointly. This is the case if common purposes are pursued and the processing is only possible because all controllers cooperate in it. With regard to the integration of the Facebook Like button into a website, the ECJ has affirmed a joint responsibility of the website operator and Facebook. In the same way, however, several controllers can be jointly involved in a processing operation without being jointly responsible. This is the case if a pure exchange of data takes place without common purposes and means being established.
In practice, joint responsibility may exist especially when the processing of one entity is not possible or useful without the processing of the other entity.
If there is joint responsibility, the controllers involved must specify in an agreement pursuant to Art. 26 I GDPR which of them assumes which obligations under data protection law, such as information obligations. This agreement must be transparent, i.e. show the actual relationships and functions vis-à-vis data subjects. Pursuant to Art. 26 III GDPR, the data subject may nevertheless turn to any of the data controllers when asserting his or her rights.
Legally independent companies are always to be regarded as separate data controllers, which is particularly important within a group of companies. However, the controllers of individual parts of a group of companies are granted a legitimate interest in the exchange of personal data within the group of companies by recital 48 of the GDPR.
The processor is defined in Art. 4 No. 8 GDPR as any natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. It must therefore be someone other than the controller and the person must act on behalf of the controller.
The processor is not itself the responsible party. He acts solely on the instructions of the controller. The controller remains responsible for compliance with data protection regulations. However, if the processor disregards his instructions and determines the purposes and means of the processing himself, he is deemed to be the controller in this respect (Art. 28 X GDPR).
It must be measured on a case-by-case basis how much leeway the processor may still have in processing despite being bound by instructions. If he has too much personal responsibility, he ultimately becomes the controller.
In practice, a commissioned processor exists when technical support activities and data processing operations are outsourced to external service providers. Typical cases of commissioned processing are, for example, file destruction, storage of data by cloud services or processing of data in call centers.
If personal data are disclosed to the processor on his behalf, he is also a recipient pursuant to Art. 4 No. 9 DSGVO.