Liability and responsibility: The data controller


In the context of the GDPR and data protection, in addition to personal data, there is always talk of the controller. However, people who are less familiar with data protection are not always sure who - in which case - is actually the controller. This article is intended to help determine the controller.

Who is responsible for data protection in the company?

The GDPR provides a comprehensive definition in [Art. 4 (1) No. 7 GDPR] (

In particular, the second part of the following definition causes problems of understanding. "Jointly" in this case means that there may not only be one controller, but even several controllers at the same time. For this reason, special provisions for "joint controllers" have also been made in Art. 26 GDPR.

In contrast, there are also data subjects and processors. Data subjects are the "owners" of personal data to which a personal link can be established (e.g., customers and website visitors). Processors, on the other hand, are contracted by data controllers (e.g., companies) to provide certain services and process data (e.g., web hosting, email inbox).

"Controller" means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data [...].

The responsible body or controller is therefore always the authority or company that processes the data and decides on the purposes and means of the processing of personal data. However, a responsible body can also be a natural person.

This distinction is important because, for example, processors are not controllers within the meaning of the General Data Protection Regulation. In genuine processing operations, the controller decides how and for what purpose the data are processed - the controller thus decides solely on the purposes and means of the processing (see above).

However, if a processor starts processing personal data (received from the controller) for its own purposes, it is no longer a case of commissioned data processing. In such cases, there are two data controllers.


Controllers within the meaning of the General Data Protection Regulation are all entities that (can) decide on the purposes and means of data processing.

Consequences and liability

This has far-reaching consequences, because jointly responsible parties are usually also jointly liable. For example, if two companies jointly acquire new customers as part of a partnership and pass on their customer data, both companies are jointly liable.

Unauthorized disclosure of customer data by company B can therefore also affect company A. The GDPR thus seeks to largely entangle joint controllers in such joint processing activities. The increased risk is intended to significantly increase the pressure on controllers - to document the individual processing operations and to operate good data protection management.

Controllers are also liable for unauthorized processing activities of processors if they have neglected their selection and control obligations.

Examples of data controller

Private processing

Hans celebrates his wedding together with Maria and asks all wedding guests to sign up for his private newsletter.

Hans is not a data controller within the meaning of the GDPR, as the GDPR does not apply to purely private or family activities.

Order processing (standard case)

Company A operates a website with a contact form at hosting provider B.

Company A is the controller and hosting provider B is the processor.

Order processing (encryption)

Company A creates backups at the company and encrypts them. The encrypted data is transferred to cloud storage C.

Company A is the controller and cloud storage C is the processor, even though C only stores encrypted data.

Joint controllers (rule case)

Company A jointly launches a sweepstakes with Company B. The companies jointly operate a platform for registering for this sweepstake with hosting provider C.

Companies A and B are jointly responsible for the data. Hosting provider C is a processor.

Joint controllers (interconnectedness)

Company A and Company B work together on Project X. Project X provides consulting services in area Z to end customers. The end customers come to Company A only for consulting, and the consulting also takes place only on Company A's premises. However, Company B sends an employee C to Company A's premises to assist Company A in carrying out Project X. The employee C is not assigned to Company A. Employee C is not assigned to Company A.

Since it cannot be ruled out that employee C processes personal data or becomes aware of it, there is joint responsibility. It does not matter whether the processing activities are carried out on the premises of one or both companies.

Data protection is important to you? Glasskube supports you in getting control over your data. Contact us, during a free initial consultation we will analyze your needs together.

Support Glasskube
By leaving us a Star on GitHub
Star us
Glasskube Newsletter

Sign-Up to get the latest product updates and release notes!

Our solutions for reliable
and scalable infrastructure.

Easily and scale your IT infrastructure while deploying applications quickly and securely with our cloud native technology solutions.

Outdated software or technical debt?

Turn on autopilot