GDPR Definition

Article 4(7) GDPR:

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Allocation of roles

The internet is built up of a vast number of devices that are connected through multiple network infrastructures that are owned, managed, or used by numerous international companies and persons. The processing of a simple internet query mostly involves multiple devices owned by several international providers. When a data breach occurs in the system of one of these providers during the processing of the query, it is usually unclear for the data subject with which provider it can file a complaint about the breach. The GDPR stipulates that the controller is responsible for all the processors who are involved in the processing of the query. In this way, the data subject has the legal means to address the controller in the event that a data breach occurs with one of the processors that was involved in the processing.

Criteria: purpose and means

According to the GDPR the controller is the (natural or legal) person, authority, agency or body that determines the purpose and means of the processing of personal data. To determine the purpose and the means the controller should be able to answer the following questions:

• With what purpose does the controller collect personal data?
• With what means does the controller collect personal data?
• What personal data is being collected by the controller?
• Which providers are involved by the controller in the processing of the personal data?

The person, company or organization that is able to answer the questions above is most likely the controller according to the GDPR.