The Five Building Blocks of 'Controller'
EDPB Guidelines 07/2020 break 'controller' into five building blocks: the person/body; 'determines'; 'alone or jointly with others'; 'the purposes and means'; and 'of the processing of personal data'. 'Determines' is a factual test of decisive influence - contract labels are not decisive. On 'means', distinguish essential means (which the controller must decide to stay sole controller - e.g. what data, retention, recipients, categories of data subjects) from non-essential means (practical/technical implementation, which can be delegated to a processor). A controller need not have actual contact with the data to be a controller.
| Building block | Key point |
|---|---|
| 'Natural or legal person, authority, agency or body' | Can be an organisation, individual or group; an employee acting for the entity is not the controller - the entity is |
| 'Determines' | Factual test of decisive influence; per Art 28(10) a processor that determines purposes/means becomes a controller |
| 'Alone or jointly with others' | Several entities can be controllers for the same processing; you can be a controller without making all decisions |
| 'The purposes and means' | The why (purpose) and how (means); split essential (controller) vs non-essential (delegable) means |
| 'Of the processing of personal data' | Controllership can attach to a single operation or a set; different actors may control different stages |
| Means | Who decides | Examples |
|---|---|---|
| The controller (to remain sole controller) | Which data are processed; retention period; categories of recipients; categories of data subjects | |
| May be delegated to a processor | Which software/infrastructure is used; which of the processor's staff may use it |
A customer using an off-the-shelf SaaS database decides whether to use the service for its own data and why - so it is the controller, even though the software's design predetermines much of the processing. The provider processes solely on the customer's behalf and is a processor.
- Where the law imposes an obligation (e.g. an employer must keep a workplace injury register), the organisation subject to the obligation is the controller - even if the law dictates much of the content.
- A controller can be a controller of a single processing operation within a chain without being involved in the others (e.g. market research: the commissioning company is a controller even with no contact with participants and no individual-level data).
- An accountant engaged to audit accounts decides what data it needs and how, using professional judgment - so it acts as a controller, not a processor, despite being engaged by the client.