What are GDPR data controllers, processors, subjects and all the other actors?

There are so many moving parts in the new General Data Protection Regulation (GDPR) that it can get quite confusing. In the seminars and meetings we run a lot of the initial questions we receive are based around the main terminology in the new legislation, especially in regards to main actors / players. Without this basic knowledge of who is who, it is impossible to understand responsibilities and the what and when.

We have been asked by several of you to try break this down in a simple format and manner to clarify who is who and highlight some of the most relevant points for each. By doing so, hopefully, when you see the terminology in the future it will not faze you.

Making Article 4 a little easier to digest

So, in response to your requests we have created this blog post. In Article 4 of the legislation all of what we will talk about is fully explained. However, we know not everyone is going to have the time to go through the legislation just to get a general understanding. In addition, it is legislation so unless you are a lawyer or a legal eagle it can sometimes be a challenge for the average reader, yours truly included.

In this post, we will paraphrase the legislation and use more straight forward language to try clarify the meaning of each of the main actors and some of their responsibilities. For the actual full definitions, you can find them in the legislation which is publish all EU languages on the EU site, you can directly download the English version here.

Below you can find a data flow graph with the main actors and the relationships between them. Below we will go explain each of the actors in a very  straight forward manner, the objective of the post is not to know every detail of each obligation, responsibility, right etc. moreover to get a top-level view of where the actors all fit into the bigger GDPR picture and how they must play (engage – interact) together.


Lets start at the beginning: Personal data.

The linchpin to the relationship between all the actors is personal data. Everything gravitates around personal data so knowing what that is a logical perquisite to understanding the actors. It is important to note that this is a broad term and is growing and includes more data categories as time goes by.

Any information relating to a person (‘data subject’), that can identify that person directly or indirectly. This information would identify the person through identifiers such as a name (their name, a name they have on a site), an identification number (passport, national ID, membership card id), location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
As mentioned before what data types are considered personal is growing over time. In October 2016, the European Court ruled that the data collected by web servers, for example users IP addresses, is personal data.

1.European Data Protection Board

The Board is composed of the head of one supervisory authority of each Member State (28) in total and of the European Data Protection Supervisor. The role of the Board will be to review what is working and what is not working and also to give advice and guidance. The Board will have a Chair / President. The European Union Commission will consult with the Board on certain issues such as assessing the level of protection in Third countries, mentioned below.

2. Supervisory Authority (SA)

An independent public authority which is established by a Member State to enforce legislation locally. In simple terms, the group that makes sure that the regulation is executed in their state. They will be he group or groups responsible for managing, dishing out, the administration fines to controllers and processors.

They will also need to coordinate with other Supervisory Authorities in the case of multiple actors in more than 1 member state in any disputes or actions. They will need to coordinate to define who should be the Lead SA and so on.

3. Data Processors

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The processor does not determine the purpose and or means of the processing. They just process the data as requested by the controller.

This is quite typically when data processing is outsourced by the controller. In the case above you may have your data being processed by a third party. An example could be having your companies pay roll managed by a third party or if you have cloud provider such as Microsoft Azure (collection, recording, organization, structuring, storage…)

If a supplier is acting in accordance with a data controller’s requirements it is a data processor. Under the old directive, it was only the data controller that would be fined in case of non-compliance. Under the new legislation, the processor is also liable. So now the light of the law can no shine on the processor also, they have their own obligations that they must comply with. A lot of this is based on having the right security measure in place.

4. The Data Controller (this is a key actor and has the most responsibility)

This is the organization / entity, regardless of if it is public, private non-profit etc. that determines the manner and purpose of collecting personal data. This is the actor that has most responsibility within the GDPR. In simple terms this is the company that defines what personal data they want and for what purpose. The company then requests that data from people (employees, customers, public etc.). A simple example could be a website that the company requests your name and address to send you a package. The company that defined the fact that you have to give them that information and the purpose of that request is the Data Controller (Company A).

Who actually collects this information and processes it may be another company. The website, for example, may be managed by Company B and another company, Company C (Microsoft Azure for example) maybe storing that information.

The Data Controller not only needs to comply with the regulation but must demonstrate compliancy, this is one of the key differences between this legislation and others. Under the new law, the controller will need to be able demonstrate compliancy at any given time due to requests from the SA or the Data Subject.

5. Data Subject

A “data subject” is a natural person, so me or you, a living human being. This Regulation protects fundamental rights and freedoms of natural persons, basically it gives people power over their data. What is a little vague is in regards to the origin or citizenship of the data subject, the legislation states “The Regulation applies to the processing of personal data of data subjects who are in the Union”.
Fun fact; the regulation is only applicable to living individuals.

5.1 Data subject rights

There are eight powerful rights that a data subject can demand from the controller. They include the Right to erasor (Article 17), more commonly known as the right to be forgotten. This article empowers a Data Subject to request, to a data controller, that all personal information about him / her can be erased. Other rights include the Right to access any personal data and the Right to data portability.

6. Third countries and International Organizations

These are countries outside of the European Union or the European economic area. There is a prohibition in that you cannot send data outside of Europe unless you reach certain conditions. Such a condition is “adequacy” which is establish by the European Union Commission, this means basically that the third country has to have similar laws to those in the EU; such as human rights and freedoms etc.

If there is absence of an adequacy decision by the EU Commission in regards to a Third country the Controller will need to establish a legal contract that will guarantee the protection of the person data in question.

“Binding corporate rules” are sometime used in these case. These are rules and processes that are used throughout your organization and accepted by the Supervisory Authority, you could use these with another Third country or International Organization. It is believed that most large organizations will use “Bind corporate rules” to manage these scenarios.

7. Third parties

Third parties work on behalf of the Data Subjects so these could typically be lawyers, solicitors or even members of the family that are working, by proxy, on behalf of the Data Subject. They will be able to execute a data subject’s rights and also process the data on behalf of the data subject.

The General Data Protection Regulation can be a challenge to navigate but it is impossible to comprehend without having a clear understanding of these key actors.

Leave a Reply

Your email address will not be published. Required fields are marked *