What is a controller?

Under data protection law, if an entity looks like a controller and acts like a controller it is a controller regardless of what it calls itself. Controllers are individuals or entities that, alone or in jointly with others, determine the purposes and the means of the processing of personal data.

The first and foremost role of the concept of controller is to determine who shall be responsible for compliance with data protection rules, and how data subjects can exercise the rights in practice. Controllers are primarily responsible for overall compliance with GDPR and for demonstrating that compliance. If this isn’t achieved, they may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures. Since the controller determines the “means and purposes” of the processing, in effect all provisions setting conditions for lawful processing are essentially addressed to the controller, even if this is not always clearly expressed. The provisions on the rights of the data subject (e.g. to information, access, rectification, erasure and blocking, etc.) under data protection law are framed in such a way as to create obligations for the controller. The controller is also central in the provisions on notifications to data subjects (e.g. privacy notices) and supervisory authorities (e.g. in data breach situations). Finally, it should be no surprise that the controller is…