Abstract
This chapter aims to examine critically the existing legal provisions on the concepts of controller, processor, and joint controller, as interpreted by the relevant non-binding guidelines and case law, and to propose a new “value chain” method for allocating responsibilities among joint controllers that is more effective and appropriate for the technology- and data-driven world. It also examines the corresponding data protection responsibilities of different data processing actors, in particular through the prism of the new accountability principle, which arguably includes not only obligations for means but also result-oriented obligations for compliance in terms of data subjects' effective and complete protection.
TopBackground
The attribution of responsibility of data controllers and processors has been already examined by a number of scholars. Alsenoy (2016) has compared the two regimes of liability under the repealed Directive and the GDPR, concluding that they remain unchanged and are in compliance with the European Tort Law Principles. On the other hand, many scholars have already emphasized the difficulties in applying the linear concepts of controller and processor to the new economic and technology reality, including inter aliaTene (2013); De Hert and Papakonstantinou (2016); Gürses and Hoboken (2017); Mahieu, Hoboken, and Asghari (2019). While GDPR does not change these concepts, it does clarify the responsibilities of the data processing actors and their accountability, which become more flexible and scalable according to the risks to the individuals’ rights. This new risk-based approach is perceived by Quelle (2017) as changing the nature of the obligations with a possibility for calibration according to the level of risk and other relevant factors such as scope and context of processing.
Key Terms in this Chapter
Data Controller: Any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Value Chain Approach: An approach used to delineate the scope of responsibility of a (joint) controller for the whole set of data processing operations starting from the very design phase of the data processing product or service right through the whole data lifecycle with the irreversible deletion of the personal data.
Data Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Phase-Oriented Approach: An approach used to delineate the scope of responsibility of a (joint) controller only to the set of data processing operations in which the controller actually participates as determining the means and purposes.
Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data Subject: Identified or identifiable natural person.
Accountability: Responsibility of data processing actors to put in place appropriate and effective measures to ensure compliance with the GDPR and be able to demonstrate so.
Joint Controller: A controller who determines the means and purposes of data processing jointly with other controller(s).