Controller

Key References:

  • GDPR Art. 4(7) on definition of controller
  • GDPR Art. 26 on joint controllers
  • GDPR Arts. 24-38 on responsibilities
  • GDPR Art. 30 (ROPA requirements)
  • Accountability obligations
  • Requirements of transparency, record keeping, DPIA, DPO, PbD, demonstrable compliance.

Art. 4(7) on definition of controller:

  • a natural or legal person,
  • public authority, agency or other body which,
  • alone or jointly with others,
  • determines the purposes and means of the processing of personal data.

Art. 26.1: Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers.

GDPR Obligations and requirements for controllers:

  • Art. 24(1): Lists the requirement to implement appropriate technical and organisational measures for data processing.
  • Art. 25: Lists the requirement to implement data protection by design and by default.
  • Art. 26: Requires that joint controllers should determine their respective responsibilities for compliance in a transparent manner and make it available to data subjects.
    • CJEU analyzed the concept of joint controllers and respective responsibilities in two key cases: “Jehovah’s Witnesses Case“, and “Facebook Fan Pages Case“.
    • Tdlr; a natural person can be a joint controller along with a corporate entity, joint controllers need not have equal responsibility, instead the level of responsibility for each controller must be determined on case-by-case basis depending on their roles in different stages of processing.
  • Art. 27: Controllers and processors outside the EU are required to designate a representative in the Union.
    • Art. 27(2)(a) exempts controllers and processors outside the Union who are engaged in processing which is occasional, does not include, on a large scale, processing of special categories of data, or processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.
      • Note: the exemption is multi-layered and extensive.
  • Arts. 28-29: List specific obligations on the processor and controller working relationship. Notable requirements include:
    • a binding, written, legal contract between the controller and processor;
    • processor to guarantee processing of data including transfer of data to third countries only under instructions from controller;
    • processor to fulfill controller’s obligations on data subject’s rights and cooperation with supervisory authorities;
    • processor to require controller’s authorization prior to engaging sub-processors;
    • processor to implement appropriate technical and organisational measures to meet GDPR requirements;
    • stipulations on whether processor to store, delete or return all personal data to the controller at the end of the contract.
  • Art. 30(1): Mandatory obligations on controllers to maintain written records of processing activities (ROPA).
    • A key ROPA requirement is to document the lawful basis (or bases) under Art. 6 for the processing of personal data.
  • Arts. 33-34: Provide details on the breach notification requirements for controllers vis-à-vis supervisory authorities and data subject.
  • Art. 35: Obligations and triggers to carry out DPIAs.
  • Arts. 37-38: Provide details on DPO requirements and duties.


Guidance, Cases, Judgments on the concept of controller

  1. In the Jehovah’s Witnesses Case, the CJEU explained the concept of controller as follows,

a natural or legal person who exerts influence over the processing of personal data, for his own purposes, and who participates, as a result, in the determination of the purposes and means of that processing, may be regarded as a controller …

2. WP29 Opinion 1/2010 analyzed the concept of controllers and processors. For the definition of controller, it concluded that:

Determination of the “purpose” of processing is reserved to the “controller”. Whoever makes this decision is therefore (de facto) controller. The determination of the “means” of processing can be delegated by the controller, as far as technical or organisational questions are concerned. Substantial questions which are essential to the core of lawfulness of processing are reserved to the controller. A person or entity who decides e.g. on how long data shall be stored or who shall have access to the data processed is acting as a ‘controller’ concerning this part of the use of data, and therefore has to comply with all controller’s obligations.”

3. Coming soon: summary of In the matter of WhatsApp Ireland Limited (DPC Inquiry Reference: IN-18-12-2).