Who are these actors?
The controller can be any “natural or legal person, public authority or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (…)”. This shows that any entity who disposes of personal data for various reasons is considered a controller, be it, for instance, to conduct scientific research based on personal data or for marketing or business purposes. The controller has influence over the processing of personal data, through the execution of the processing or the ability to decide on the processing. In order to determine whether an entity is a controller, the following questions may be asked:
- Who makes decisions about data processing?
- Who has the power to stop the data processing?
- Why is the processing taking place?
- Who initiated the processing?
- Who benefits from the processing?
The definition also includes the possibility that the controller does not act alone, but that there are multiple controllers, jointly controlling the data. The section on Joint Controllership explains this in more detail.
What are their tasks?
The controller determines the means and purposes of data processing. This means that the controller is in control of the data and the actor that actually decides what can be done with personal data. Usually, the controller aims to achieve a goal, e.g., a research project and objective or a business process*, for which the processing of data is necessary.
What are their rights and responsibilities?
The controllers need to ensure compliance with data protection regulation, such as the GDPR. In other words, the controllers are responsible for what happens with the data, how it is processed and whether the processing is compliant with the GDPR or not. In practice, this means that controllers have to introduce measures and safeguards aimed at respecting the application of the GDPR and demonstrating such policies. Indeed, Art.24 GDPR defines the responsibility of the controller to
“implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”
These technical and organizational measures are explained in more detail inthe section “Principles (3.1.3) of this document. The controller needs to be able to demonstrate that the data processing principles, such as data minimization, storage limitation and transparency are implemented and guaranteed. This is referenced in Art.5(2) GDPR as the accountability of the controller.It is therefore essential that the controller is able demonstrate and document (Art.30(2) GDPR) that these principles are fulfilled. Research projects should be conducted and implemented with the principles of privacy-by-design and privacy-by-default (Art.25 GDPRD) in mind. Accountability hereby means that not only that “… the project proposal has to satisfy a given check list of conditions, but as the research methodology itself has to be ethical-legal compliant by design”. Practical examples include the involvement of an interdisciplinary team, a legal-ethical expert appointed as DPO, IT-infrastructure that satisfies the CIA triad and the recording and regulating of data flow within and between the research team and other entities.
The controller can instruct and appoint other entities that conduct processing on their behalf, titled the processor. It is the duty of the controller to use only processors that can provide sufficient guarantees that they implemented appropriate technical and organizational measures for the GDPR-compliant processing of the data. Such measures need to be taken and demonstrated in order to secure the processing and to protect data subjects’ rights. Naturally, researchers that act as controllers are therefore obliged to only use trustworthy processors that can demonstrate their compliance with the regulation.
If the rights of the data subjects have been infringed, that is, personal data have been processed unlawfully, resulting in material or non-material damage, these data subjects can exercise their rights given under Art.16 – 23 GDPR (see section on Data Subject Rights). To this end, the controller is the “ultimate point of reference” that the data subjects can contact to exercise their rights. Art. 82(1) GDPR states that under such circumstances data subjects have the right to receive compensation from the controller (or processor) for the damage. Additionally, controllers are liable for damage if they infringe upon the GDPR (Art. 82(2)). Recital 146 states that data subjects are to receive effective and full compensation for the damages they have received and that “concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation”.
|Checklist: You are likely to be a controller if you answer one of the following statements with “yes”
1Art. 4(7) GDPR ↑
2See EDPS Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725, p.7 based on Case C-210/16 Wirtschaftsakademie Schleswig-Holstein ECLI:EU:C:2018:388, para. 40 and Opinion of Advocate General Bot in case C-210/16, Wirtschaftsakademie, paras. 64 and 65. ↑
3See Art.24(1) GDPR ↑
4EDPS, “A preliminary Opinion on data protection and scientific research, 6 January 2020, p.17. ↑
5EDPS, “Guidelines 07/2020 on the concepts of controller and processor in the GDPR”, 2 September 2020, p. 8. ↑
6D. Amram, “Building up the “Accountable Ulysses” model. The impact pf GDPR and national implementations, ethics, and health-data research: Comparative remarks”, Computer Law and Security Review, July 2020, Vol. 37, p. 2. ↑
7Ibid, p. 6. The author of this article identifies additional features to consider to achieve an “acceptable level of compliance”. ↑
8EDPS, “Guidelines 07/2020 on the concepts of controller and processor in the GDPR”, September 2020, p.4. ↑