Responsibility for GDPR compliance: the data controller

AuthorMichèle Finck
Blockchain and the General Data Protection Regulation
4. Responsibility for GDPR compliance: the data controller
The data controller is the entity responsible for complying with obligations arising under the
GDPR. The data controller can be a natural or legal person or any other body.247 The correct
identification of controllership in relation to each personal data processing operation is an
important exercise as it enables the identification of the person or entity that the data subject is to
address to enforce their rights under the Regulation. Indeed, in the words of the Article 29 Working
Party, the first and foremost role of the controller is 'to determine who shall be responsible for
compliance with data protection rules, and how data subjects can exercise the rights in practice'.248
The GDPR is built on the principle that responsibility and accountability rest with the controller,
who is charged with the practical effectiveness of European data protection law. The controller must
implement appropriate measures, both of a technical and organisational nature, to be able to
demonstrate that its data processing occurs in line with GDPR requirements.249 Where it is
proportionate in relation to the processing activities, the latter shall include the implementation of
appropriate data protection policies and compliance with the data protection by design and by
default requirements.250 The controller (or its representative) is moreover obliged to maintain a
record of processing activities under its responsibility that provides information about the
purposes of processing251, the categories of data subjects and personal data 252, the categories of
recipients to whom personal data is disclo sed253, information about personal data transfers254, and
also the envisaged time limits for erasu re as well as information about technical and organisational
security measures.255 Beyond, there is an obligation that, at the moment of personal data collection,
the controller provide the data subject with information, including regarding its own identity and
contact details.256 Thi s highlights that the controller is the entity that is situated at the centre of EU
data protection law, charged with the implementation of data protection safeguards ab initio, but
also as the central point of contact for data subjects that w ish to enforce their rights.
It is important to stress that the relevant data controller must be pinpointed in relation to ea ch
personal data processing operation, underlining the need for a case-by-case analysis accounting
for all relevant technical and contextual factors. The concept of controllership is furthermore
autonomous as it ought to be interpreted solely on the basis of EU data protection law, and
functional as 'it is intended to allocate responsibilities where the factual influence ins, and thus
based on a factual rather than formal analysis'.257 Thus the formal identification of a controller in a
contract or in terms of conditions is not decisive and can be overturned by a subsequent court
decision that determines controllership on the basis of fact rather than form.
247 Although the A29WP has cautioned that in case of doubt ‘preference should be given to consider as controller the
company or body as such’ (such as where the question is whether the controller is a company or its employee). Article 29
Working Party, Opinion 1/2010 o n the concepts of “controller” and “proce ssor” (WP 169) 00264/10/EN, 15.
248 Mahieu R et al (2018) Responsibility for Data Protection in a Networked World. On the question of the controller, “effective
and complete protection” and its application of data access rights in Europe 12
249 Article 24 (1) GDPR.
250 Article 24 (2) GDPR and Artic le 25(1) GDPR.
251 Article 30(1)(b) GDPR.
252 Article 30(1)(c) GDPR.
253 Article 30(1)(d) GDPR.
254 Article 30(1)(e) GDPR.
255 Article 30(1)(g) GDPR.
256 Article 13(1)(a) GDPR.
257 Article 29 Working Party, Opinion 1/2010 on the concepts of “controller” and “processor” (WP 169) 00264/10/EN, 1.
STOA | Panel for the Future of Science and Technology
It has also become evident that the concept of the controller ought to be given a wide
interpretation. In Google Spain, the ECJ stressed the need 'to ensure, through a broad definition of
the concept of 'controller', effective and complete protection of data subjects'.258 As a consequence,
the operator of the Google search engine was qualified as a data controller even though it did not
'exercise control over the personal data published on the web pages of third parties'.259 Google Spain
continues to have a lasting influence on this area of the law, not only because it set a firm precedent
for the broad interpretation of the notion of controllership but also due to the justificati on that was
used. The Court continues to rely on the criterion of 'effective and complete protection' to justify
broad interpretations of various concepts, including that of (joint) controllership as will be seen
4.1. The GDPR's definition of the data controller
The text of the GDPR itself contains a specific test designed to determine the identity of the
controller in relation to each personal data processing operation. Article 4(7) GDPR indeed provides
that the data controller is the person or entity that determines the purposes and means of personal
data processing.
Article 4(7) GDPR defines the data controller as:
the natural or legal person, public authority, agency or other body which, alone
or jointly with others, determines the purposes and means of the processing of
personal data; where the purposes and means of such processing are
determined by Union or Member State law, the controller or the specific criteria
for its nomination may be provided for by Union or Member State law260
To determine the identity of the data controller in relation to a specific personal data processing
operation it is thus necessary to enquire who determines the purposes and means of processing.
According to the Article 29 Working Party, 'determining the purposes and means amounts to
determining respectively the 'why' and the 'how' of certain processing activities'.261 This underlines
that controllership is a functional concept 'intended to allocate responsibilities where the factual
influence is'.262
In its opinion on SWIFT, the Article 29 Working Party found in 2006 that even though SWIFT had
presented itself as a mere data processor, it was in fact a data controller.263 Indeed, in this specific
case, the factual influence test had revealed that SWIFT had 'taken on specific responsibilities which
go beyond the set of instructions and duties incumbent on a processor and cannot be considered
compatible with its claim to be just a 'processor'' as it in fact determined the purposes and means of
processing.264 This illustrates that the desi gnation of a given entity as the controller (such as in terms
and conditions) who does not actually exercise control over the modalities of processing is void.265
In order to determine controllership, it is accordingly necessary to operate a factual analysis that
considers where influence over the means and purposes of personal data processing lies.
258 Case C-131/12 Google Spain [2014] EU:C: 2014:317, para 34.
259 Ibid.
260 Article 4 (7) GDPR.
261 Article 29 Working Party, Opinion 1/2010 on the concepts of “controller ” and “processor” (WP 169) 00264/10/EN, 13 (m y
own emphasis).
262 Ibid, 9.
264, page 11.
265 Article 29 Working Party, Opinion 1/2010 on the concepts of “controller” and “processor” (WP 169) 00264/10/EN, 9.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT