Main Actors - Guidelines Panelfit

Frédéric Tronnier (GUF)

This section aims to explain the main actors, that is, the roles that may be assigned to individuals, organizations or other entities in the GDPR. Art. 4(7-10) define several of these actors while others are defined later on in the GDPR^{^[1]}. Here, these actors will be defined in order to clarify the different tasks, rights and responsibilities that each actor possesses. In order to work with personal data and to comply with the GDPR it is necessary to understand the role that one takes when working with personal data. A brief summary on the main actors is made in table 1. Within the main body of this document, practical examples are provided in order to illustrate the interplay between the different categories of actors.

DOs

Check what kind of actor or role you or your organization constitute when working with personal data under the GDPR. Every actor has specific rights and responsibilities.
Ensure you know what kind of actor other entities are that you are working with. This may differ, depending on the flow of data between different entities and organizations.
Understand the tasks, rights and responsibilities that each actor possesses when working with personal data.
Ensure that contracts are being used to define the roles, responsibilities and tasks of different organizations that relate to the processing of personal data.
Consult additional literature such as the EDPS Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725 and the Guidelines 07/2020 on the concepts of controller and processor in the GDPR.

References

¹For more detailed information on the main actors: controller, processor and joint controllers, we refer to the EDPS guidelines on these actors.EDPS Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725. Available under: https://edps.europa.eu/sites/edp/files/publication/19-11-07_edps_guidelines_on_controller_processor_and_jc_reg_2018_1725_en.pdf (Last visited: 03.12.2020)And Guidelines 07/2020 on the concepts of controller and processor in the GDPR. Available under: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf (Last visited: 03.12.2020) ↑

Actor	Controller	Processor	Joint Controller	Recipient	Third Party	Data Protection Officer	Supervisory Authority
GDPR	Art.4(7)	Art.4(8)	Art.26	Art.4(9)	Art.4(10)	Art.37	Art.51
Short description	Any entity that determines the purposes and means of the processing of personal data.	Handles the processing of personal data on behalf of the controller. Does not determine the purposes of this processing.	Two or more controllers that are jointly determining the purposes and means of processing of personal data.	Any entity to which personal data is disclosed to, with the exception of public authorities that receive personal data in accordance with the law.	Any other entity other than controller, processor, data subject or persons authorized to process personal data.	Natural person that acts independently within an organization to ensure the correct application of the GDPR	Independent public authority established by the EU member states. Also called Data Protection Authorities (DPAs).
Tasks	Is in control of the data and decides what is done with it. Usually wants to achieve a goal with the data.	Processes the data under the instructions of the controller.	The tasks are the same as those of a (single) controller but are performed by all joint controllers together.	Has no active part. A recipient is defined only by its access to personal data.	Has no active part.	Ensures that the rights of data subjects are protected Handles and addresses complaints.	Responsible for monitoring and enforcing the correct application of the GDPR. Promotes awareness on issues of data processing. Handles complaints of data subjects.
Rights / Responsibilities	Needs to ensure compliance with the GDPR in the processing of the data and be able to demonstrate that processing of personal data is performed in accordance with the GDPR. Needs to implement appropriate technical and organizational measures for this.	Acts under the instruction of the controller with a certain degree of freedom of choosing the most suitable methods for the processing. Guarantees that the processing meets the requirements of the GDPR.	Joint controllers need to determine their respective responsibilities for compliance with the data processing Need to provide a contact point for data subjects.	No rights and responsibilities. Will become a controller for any processing that is carried out for its own purposes.	Receives personal data. Will become a controller for any processing that is carried out for its own purposes.	Acts independently with an own budget and resources Should not be in a conflict of interest, therefore not a processor or controller.	Enforce application of the GDPR. Can issue warnings and reprimands, or ban or limit the processing of personal data by other entities.

Table 1. Short summary on the main actors in the GD

Complete PDF

Data Subjects

Controller

Joint Controller

Processor

Recipient

Third party

Data Protection Officer (DPO)

Supervisory Authority

European Data Protection Board (EDPB)

European Data Protection Supervisor (EDPS)