The controller is one of the parties involved in a processing operation along with the processor, the joint controller and the third party.
▶ The data controller is the natural or legal person who decides on the purpose and means of the processing.
A data controller is therefore characterised by his autonomy in setting up and managing a processing operation. It is the data controller who decides to create or delete the processing operation. They must therefore ensure compliance with all the obligations imposed by law.
This is generally the organisation.
For example, a local authority will be responsible for processing carried out in the context of public activities, for example, the civil status file. A private company will be responsible for processing carried out for employee management. As an employer, it decides to process personal data in order to recruit employees and run the business.
Responsibility is attached to the entity behind the decision, the purpose of the data processing activity.
▶ Liability for processing is similar to liability in contract or tort. Thus, the data controller is generally not the company director, who is merely the data controller's legal representative.
For example, Dastra employs staff. It has a human resources director and a CEO. Processing relating to human resources management will be the responsibility of Dastra, the company. The CEO and HR Director are staff attached to the controller and are not autonomous. Their decisions are taken for the sole purpose of fulfilling the company's corporate purpose.
▶ Responsibility may sometimes rest with a physical person. This is the case in particular for the professions (lawyers, doctors) or Members of Parliament in respect of their parliamentary activity.
"Are you a data controller?" self-assessment
▶ Here is a list suggested by the European Data Protection Supervisor to easily determine who is responsible for processing. If the majority of answers are YES, then you are a data controller.
|You have decided to process personal data or you are at the origin of the processing by another entity
|You have decided what the purpose or result of the processing operation should be.
|You have decided on the essential elements of the processing operation, i.e. what personal data is to be collected, from whom, for how long, who has access to it, who the recipients are, etc.
|The data subjects of your processing operations will be informed of the purpose of the processing operation.
|The data subjects of your processing operations are your employees.
|You exercise professional judgement when processing personal data.
|You have a direct link with the data subjects.
|You have autonomy and independence in the way you process personal data.
|You have appointed a processor.
|You have appointed a processor to carry out processing activities on your behalf, even if the entity chosen for this purpose implements specific technical and organisational means (non-essential elements).