Controller of personal data

About personal data, processing and application of GDPR[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), I wrote in previous posts. Form today’s post you will learn who is a controller of personal data and what obligations does he have.

Who is a controller of personal data?

According to art 4 p. 7 of GDPR:

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

For entrepreneurs substantial is the first part of the above definition, according to which a controller of personal data is every entity which alone or jointly with other entity determines purposes and means of personal data processing. The second part of the definition about determination of the controller and purposes and means of the processing by Union or Member State law, can be skipped – it is rare situation and in most cases it does not apply for personal data processing by entrepreneurs.

Two elements are key for awarding the status of data controller:

  1. determination of personal data processing purposes;
  2. determination of personal data processing means.

The fact of personal data processing itself is not enough. It is possible to process personal data not being the controller – this is the case in a controller to which the controller entrusts data processing. Only a person or entity deciding about purposes (e.g. marketing purposes) and means (e.g. whether they are processed in IT system, how they are collected, when they will be deleted) of data processing can be the controller. This is the difference between the data controller and the entity to which the controller only entrusted processing of personal data. In such relationship, the controller can be only one – who decides for what purpose and how data are processed. The entity to which data processing is entrusted, processes data according to guidelines received from the data processor. Such distinction of entities dealing with personal data was made by the Supreme Administrative Court, which in its judgment of January 30th, 2002 considered that ,,the controller of personal data is not every keeper of this data, but only the one who decides on the purposes and means of processing’’. I have already mentioned, that the structure of GDPR and the previously in force act on personal data protection are very similar in terms of the personal data controller definition. Admittedly, there are some differences, but the general meaning is practically the same. For this reason, the above judgment, is also relevant in the current legal status.

It is even possible that a personal data controller does not have any contact with data being processed. It happens when the controller commissions to another person to collect personal data, do the necessary operations and then delete them. However, it will not change the fact that the personal data controller has decided on the purpose and methods of processing personal data. The contractor will perform all operations on the data, but for the purpose and in the way specified by personal data controller in the contract for entrusting of personal data processing.

A controller of personal data may be natural person, legal person, legal entity with limited legal capacity, but also other organizational units, including public authorities. When it comes to natural person, the case is simple – a natural person is the one who performs all the duties of the personal data controller. Natural person is also responsible for the failure to fulfill that obligations. In case of a legal person or other organizational unit, formally that entity is personal data controller, however, all the related duties and responsibilities are performed by the head of the unit (e.g. company management in the case of company or partners in the case of partnership).

Main duties of personal data controller

A personal data controller has many responsibilities. I will discuss them in the next posts, focusing on their practical aspects. Now I only present some elementary duties of a personal data controller.

The most important duty of a personal data controller, is to comply with the GDPR regulations, such as:

  • information obligation – before data processing begins, the controller must provide a person whose data is processed with information specified in the GDPR.
  • obligations related to protection of personal data – using appropriate technical and organizational measures, so that the processing is in accordance with the GDPR

The above obligations are not all duties of a controller. These are only examples. I will develop this topic in another posts.

Examples of personal data controller

As I mentioned above, a personal data controller is any entity referred to in art. 4 p. 7) of the GDPR, if it determines the purposes and means of personal data processing. Despite this issue seems to be easy, I present  few examples:

  • an employer is a personal data controller of employees’ personal data,
  • an owner of the online store is a personal data controller of customers’ personal data,
  • a company owner is a personal data controller of contractors’ personal data,
  • an insurance company is a personal data controller of insured’s personal data.

More than one personal data administrator

Is it possible to have more than one personal data controller for the same data set ? Yes, such possibility is even included in the definition of the controller in GDPR. It indicates that the purposes and methods of processing are determined independently or together with others. This issie is developed  in art. 26 of GDPR, which states that: ,,Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers”. So if two or more entities jointly decide on the purposes and methods of personal data processing, then on the basis of GDPR, both are the personal data controllers. Before implementation of GDPR, this issue was problematic and it was necessary to confirm this possibility by jurisprudence. Now, there is no doubt that GDPR directly allows existence multiple personal data controllers.

The situation, when there are more controllers for one data set, is rare. Usually there is only one entity who decides on the purposes and means of data processing.

Personal data controller and civil law partnership

An issue of personal data controller in case of personal data processing bycivil law partnership, is interesting. A civil law partnership has no legal entity – it is only a contract under which the partners agree to achieve a common economic goal, in particular by making contributions (art. 860 § 1 of the Civil Code). As a consequence, a civil law partnership cannot be subject of rights and obligations, but  partners are. Therefore, the partners are also controllers of personal data processed within business activity of the civil law partnership. Not the partnership but the partners. All of them? GDPR does not provide a clear answer, but based on art. 4 p. 7) and art. 26 of GDPR, it seems so. Therefore, should each of the partners separately perform all the controller’s obligations contained in GDPR, including obtaining consent for data processing and fulfilling the information obligation? Not necessarily. According to art. 864 of the Civil Code, partners of a civil law partnership, are jointly responsible for the partnership’s liabilities. So it should be assumed that if one of the partners performs the controller’s duties, the others do not have to do it. And on the other hand, if any obligation is not performed by any of the partners, they are all responsible.

To summarize the personal data controller issue in civil law partnership – all partners are controllers, but it is enough if all obligations set out in GDPR are performed by one of them. It is also OK if some of duties are performed by one partner and other duties by the other partner.

Przypisy

Przypisy
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Tomasz Korolko

Partner

Related Posts

1 May 2023

Entrusting processing of personal data

Quite often it happens that an entrepreneur performing operations on personal data does not become their controller. Despite the fact that it processes data, someone else is their controller.

Read More
31 March 2023

Data protection officer

GDPR provides for the function of a data protection officer, who should be appointed by the controller in certain situations. I explain when it is mandatory and who and how to appoint to this position, as well as what are his tasks.

Read More
Back To Top