Lexicon > Person in charge of the treatment

IT Glossary

Person in charge of the treatment

The controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data.

The controller is, together with the processor, one of the main actors of the GDPR.

He/she must have de facto influence over the treatment operation through the exercise of his/her decision-making authority. This control can be based on explicit legal competence or on implicit competence

The data controller is thus in fact the one who determines the “why” and the “how” of a personal data processing.

However, if the determination of the purpose is exclusively reserved to the controller, the latter is only required to determine the “essential elements” of the processing.

Indeed, the non-essential elements of the means can be identified and determined by the processor, as long as he does so following the general instructions given by the controller and in his interest.

In practice, an entity does not need to have access to personal data to be considered a controller.

It is sufficient that it determines the purposes and means of the processing, that it has an influence on the processing by being at the origin of the triggering of the processing of personal data (and being able to terminate it), or to receive anonymous statistics based on personal data collected and processed by a subcontractor.

The data controller has numerous obligations, enshrined in particular in the GDPR to be complied with, including ensuring that data subjects can exercise the rights conferred on them by the GDPR or to guarantee a level of security of the personal data processed appropriate to the risk.

GDPR Point

” The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures.  Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons. 

Recital 74 of the GDPR


Point of jurisprudence

The Court of Justice of the European Union(CJEU) has recalled that a natural or legal person ”
which influences the processing of personal data for its own purposes and thereby participates in determining the purposes and means of such processing, may be regarded as a controller
[…] “.

Court of Justice of the European Union, July 10, 2018, No. C 25/17

The Bouchara firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.