Michèle Finck, ‘Cobwebs of control: the two imaginations of the data controller in EU law’

“Article 4(7) of the General Data Protection Regulation (‘GDPR’) defines the data controller as the natural or legal person that determines the purposes (the ‘why’) and the means (the ‘how’) of personal data processing. Article 24 provides that ‘[w]here two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers’. These legislative definitions seem to indicate that the controller decides why and how data is processed. Over time, however, regulatory guidance and judicial interpretations have significantly reduced the threshold of influence that is required. Whereas the determination of the purposes remains a condition (almost always fulfilled as any product or service’s use is motivated by a given objective) even the most marginal influence over the means, such as enabling someone else’s processing, suffices to be a controller …”

Michèle Finck, Cobwebs of control: the two imaginations of the data controller in EU law, International Data Privacy Law, https://doi.org/10.1093/idpl/ipab017. Published: 21 August 2021.

First posted 2021-08-25 12:00:15

Leave a Reply