Blockchain and the General Data Protection Regulation
4. Responsibility for GDPR compliance: the data controller
The data controller is the entity responsible for complying with obligations arising under the
GDPR. The data controller can be a natural or legal person or any other body.247 The correct
identification of controllership in relation to each personal data processing operation is an
important exercise as it enables the identification of the person or entity that the data subject is to
address to enforce their rights under the Regulation. Indeed, in the words of the Article 29 Working
Party, the first and foremost role of the controller is 'to determine who shall be responsible for
compliance with data protection rules, and how data subjects can exercise the rights in practice'.248
The GDPR is built on the principle that responsibility and accountability rest with the controller,
who is charged with the practical effectiveness of European data protection law. The controller must
implement appropriate measures, both of a technical and organisational nature, to be able to
demonstrate that its data processing occurs in line with GDPR requirements.249 Where it is
proportionate in relation to the processing activities, the latter shall include the implementation of
appropriate data protection policies and compliance with the data protection by design and by
default requirements.250 The controller (or its representative) is moreover obliged to maintain a
record of processing activities under its responsibility that provides information about the
purposes of processing251, the categories of data subjects and personal data 252, the categories of
recipients to whom personal data is disclo sed253, information about personal data transfers254, and
also the envisaged time limits for erasu re as well as information about technical and organisational
security measures.255 Beyond, there is an obligation that, at the moment of personal data collection,
the controller provide the data subject with information, including regarding its own identity and
contact details.256 Thi s highlights that the controller is the entity that is situated at the centre of EU
data protection law, charged with the implementation of data protection safeguards ab initio, but
also as the central point of contact for data subjects that w ish to enforce their rights.
It is important to stress that the relevant data controller must be pinpointed in relation to ea ch
personal data processing operation, underlining the need for a case-by-case analysis accounting
for all relevant technical and contextual factors. The concept of controllership is furthermore
autonomous as it ought to be interpreted solely on the basis of EU data protection law, and
functional as 'it is intended to allocate responsibilities where the factual influence ins, and thus
based on a factual rather than formal analysis'.257 Thus the formal identification of a controller in a
contract or in terms of conditions is not decisive and can be overturned by a subsequent court
decision that determines controllership on the basis of fact rather than form.
247 Although the A29WP has cautioned that in case of doubt ‘preference should be given to consider as controller the
company or body as such’ (such as where the question is whether the controller is a company or its employee). Article 29
Working Party, Opinion 1/2010 o n the concepts of “controller” and “proce ssor” (WP 169) 00264/10/EN, 15.
248 Mahieu R et al (2018) Responsibility for Data Protection in a Networked World. On the question of the controller, “effective
and complete protection” and its application of data access rights in Europe 12
249 Article 24 (1) GDPR.
250 Article 24 (2) GDPR and Artic le 25(1) GDPR.
251 Article 30(1)(b) GDPR.
252 Article 30(1)(c) GDPR.
253 Article 30(1)(d) GDPR.
254 Article 30(1)(e) GDPR.
255 Article 30(1)(g) GDPR.
256 Article 13(1)(a) GDPR.
257 Article 29 Working Party, Opinion 1/2010 on the concepts of “controller” and “processor” (WP 169) 00264/10/EN, 1.