class

DataController

This EClass characterizes the concept of data controller.

"Concept of Data Controller: As to the concept of Data Controller, the Working Party identifies and interprets the three main building blocks of the EU Data Controller definition:

1) “Natural or legal person” – the first building block defining the potential addressee
2) Which alone or jointly with others” – the second building block allowing pluralistic control
3) Determines the purposes and means of processing” – the third building block dealing with the decisive competence of the Data Controller

Considering the term “determines the purposes and means of processing” (i.e., the “why” and “how” of processing activities), the Working Party highlights the importance of the factual circumstances. In particular, contracts stipulating who determines the purpose and who, thus, shall be the Data Controller may only give an indication of the parties’ intentions. These stipulations should not be treated as definitive, however, as to do so would allow parties to allocate responsibility where they think fit.

In determining the purposes and means, the Working Party focuses on the “purpose” of processing rather than the “means” of processing. Accordingly, whoever decides on the “purposes” of the data processing operation triggers the qualification to be (de facto) the Data Controller. Determination of the “means” of processing can be delegated by the Data Controller as far as technical or organisational measures are concerned. Substantial decisions that may affect the lawfulness of the data processing, however, such as the type of data to be processed, length of storage and access to that data, may only be determined by the Data Controller." (source)

Attributes