Controller or processor or…? – Self-discovery in data protection

The classification of the actors involved in data processing can lead to complicated demarcation issues in individual cases, even if the distribution of roles specified by the GDPR is straightforward. Thus, controllers and processors may be involved in the processing of personal data. Since the program of duties of these actors is structured differently and the scope of liability differs, it is essential for companies or organizations to determine which data protection role they assume. 

Liability risks in the event of missing or insufficient role allocation

The lack of or incorrect classification as a controller or processor becomes apparent at the latest when a data protection breach subject to notification is identified. In this case, the competent supervisory authority must be notified of the incident, and it must be stated who is the controller and would therefore be liable for a failure to notify under Art. 33 of the GDPR, which could lead to a damage claim under Art. 82 (2) sentence 1 of the GDPR. 

In contrast, the liability of the processor is limited to the violation of legal duties that they perform in their function. However, if the parties involved have not transparently documented the distribution of roles under data protection law up to this point, time-consuming conflicts arise over responsibilities for data processing, even though the prompt notification of a data breach – within 72 hours – must take place. 

If the deadline expires, there is the threat of a substantial fine, additionally this circumstance can be used by the supervisory authority as an opportunity to conduct further investigations and, if necessary, to impose further fines based on these investigations. To prevent possible investigations by the supervisory authority from the outset, each individual actor should document their position as (joint) controller or processor in a verifiable manner.

Controllers are decision makers 

In essence, a controller determines the “whether” and “how” of data processing, thus deciding on the purposes of dataprocessing and specifying the means by which these are to be achieved. 

If, for example, a company decides to commission a service provider to evaluate future personnel development using artificial intelligence (“AI”), it becomes the responsible party. In addition to the aforementioned notification obligation, the responsible party is subject to further obligations, including the following:

  • Information requirements according to Art. 13 and 14 DSGVO,
  • Implementation of data subject rights, e.g., right to access and deletion,
  • Preparation of a comprehensive processing list,
  • Conducting a data protection impact assessment, which is of considerable importance, especially for AI applications,
  • Conclusion of a processing contract with a processor and verification of the existence of appropriate technical and organizational measures.

Joint controllers share decision-making power

If several companies in a group decide to use the AI application together for reasons of cost reduction and, for example, establish a project group with equal representation to implement the AI, there is evidence of joint responsibility. This is because joint responsibility exists if the purposes and means of the data processing are determined through joint cooperation, so that each controller has a determining influence on the data processing. Joint controllers have a duty to comply with the

  • Conclusion of a joint controller agreement pursuant to Art. 26 GDPR.

In essence, the purpose of such an agreement is to ensure that the controllers divide up their duties among themselves in a transparent manner, in particular who will exercise the data subject rights and who will comply with the information obligations.

Processor assists the responsible person(s)

While the controller determines the purposes and means of data processing, the processor has no decision-making authority of their own. They are bound by the instructions of the controller in the processing and acts merely as the controller’s “extended arm”.

If the aforementioned companies decide to commission a service provider to implement the AI application, the service provider is to be classified as a processor. The catalog of duties of the processor is not as extensive as that of the controller and includes, among other things, the following

  • Creation of records of processing activities,
  • Notification to the controller upon becoming aware of a data breach,
  • Support of controller in the exercising of data subject rights,
  • Data processing only on the instructions of the controller and the other obligations under Art. 28 (3) GDPR.

Indication for an initial classification

If other actors are involved in the processing of personal data, the distribution of roles under data protection law should be examined more closely. The following indications are intended to provide an initial guide to self-assessment.


The importance of a correct or justifiable classification becomes apparent at the latest when irregularities occur in data processing and the pressure arises from the GDPR and between the actors to implement the obligations imposed on them in a data protection-compliant manner. It is therefore essential to discuss the allocation of roles from the outset, especially in the case of ambiguous circumstances, so as not to create additional time pressure by re-evaluating the allocation of roles in an emergency.

We will be glad to answer any questions you may have in this regard.

Competence of national competition authorities in GDPR matters

According to the case law of the ECJ, national competition authorities may also check for violations of the GDPR as part of their competition law review. 

Opinion of the Court
In this regard, the ECJ states in a press release on the judgment in case C-252/21 days:
“In its judgment delivered today, the Court states that, in the context of the examination of whether an undertaking is abusing a dominant position, it may prove necessary for the competition authority of the Member State concerned also to examine whether the conduct of that undertaking is compatible with provisions other than those of competition law, such as those of the GDPR.” 

Complementing this, the ECJ states with regard to the scope of the examination:  
“The examination as to whether the GDPR is complied with is carried out … exclusively in order to establish the abuse of a dominant position and to impose measures to remedy that abuse in accordance with the competition law provisions.” 

The ECJ thus expands the review competence of national competition authorities. However, this decision represents a positive decision for many companies on the second level, because the ECJ thus rejects the legal view, which is sometimes held, that the GDPR is a competition standard.  

Clear allocation of tasks for public authorities
Furthermore, the ECJ clearly outlined the competence of the national competition authorities in the decision, and in this respect strengthened the examination jurisdiction of the data protection supervisory authorities.  
“However, if the NCA finds a breach of the GDPR, it does not take the place of the supervisory authorities established by that Regulation.” 

With regard to the question of how to prevent antitrust authorities from assessing the facts differently than supervisory authorities, resulting in conflicting decisions, the ECJ also made a per-company finding:  
“In order to ensure a coherent application of the GDPR, NCAs are required to coordinate and cooperate loyally with the authorities supervising compliance with that regulation.” 

Overall, it can be stated that while the ECJ’s decision grants competition authorities a right of review with regard to potential GDPR violations on the one hand, the restrictions for companies mentioned in the judgment contribute to legal certainty on the other hand.

NIS-2 Directive: What companies need to consider to ensure cybersecurity

In today’s digital era, businesses are more dependent than ever on the benefits of modern technologies. But with this advancing digitalization also comes increased risks, particularly with regard to cyberattacks and data breaches. To ensure the security of information systems and strengthen the protection of data, the new NIS-2 directive has been introduced.

As a business, you should not underestimate the NIS-2 directive, as it sets out extensive obligations that you must comply with to ensure the protection of your IT infrastructure and cybersecurity. To help you meet the requirements of this new legislation, we have summarized the key points below.

The NIS-2 directive now applies to smaller companies than before. Companies with at least 50 employees, an annual turnover of 10 million euros or an annual balance sheet total of 10 million euros are covered by this directive. Violations of the directive are subject to severe sanctions similar to those of the General Data Protection Regulation (GDPR). The member states of the European Union have an obligation to transpose the NIS-2 Directive into national law by October 17, 2024. Although the national implementation law is not yet available, it is advisable that companies already deal with the extended obligations and possible sanctions of the new directive.

1. Which companies are affected by the NIS-2-Directive?

The Directive generally applies to companies that belong to either a “high criticality sector” as defined in Annex I of the Directive or an “other critical sector” as defined in Annex II. In addition, these companies must be classified as medium-sized, meaning they employ at least 50 people or have an annual turnover of at least 10 million euros or an annual balance sheet total of at least 10 million euros. Furthermore, they must provide their services within the European Union.

“High criticality sectors” include, for example, energy, transport, banking, financial market infrastructures, healthcare, drinking water, wastewater, digital infrastructure, ICT services management (B2B), public administration and space. “Other critical sectors” include, but are not limited to, postal and courier services, waste management, chemical production, manufacturing, and trade, food production, processing, and distribution, manufacturing/manufacturing (data processing equipment, mechanical engineering, motor vehicle manufacturing, other vehicle manufacturing), digital service providers (online marketplaces, online search engines, social networking service platform providers), and research.

2. Risk Management Measures

The NIS-2 Directive places great emphasis on an effective risk management culture within organizations. Major and important institutions are required to take appropriate technical, operational and organizational measures to ensure the security of their network and information systems. These include, for example, risk analyses, security concepts, backup and crisis management, access controls, and encryption concepts. It is important that these measures are state of the art and appropriate to the individual risks.

3. Cross-Threat Approach

Cyber threats can have different causes, so your risk management measures should take a cross-threat approach. This means that you need to protect not only against cyberattacks, but also against physical threats such as theft, fire, or unauthorized access to your information and data processing assets. Decisions about the risk management measures taken should be based on your organization’s exposure to risk and proportionate to the societal and economic impact of a security incident.

4. Security Incident Reporting Requirements

Under NIS-2, essential and major facilities are required to immediately report security incidents that have a significant impact on their services. These reports are made in a multi-step process that includes an early warning, a report of the incident itself, and a final report. In addition, you may be required to notify affected customers and users of significant security incidents that could impact the delivery of your services.

5. Governance and Accountability

The NIS-2 Directive places great emphasis on the responsibilities of corporate governance bodies. They must ensure that adequate resources are allocated to cybersecurity assurance and that there is a clear division of responsibilities within the organization. In addition, regular cybersecurity assessments should be conducted and adjustments made as necessary to keep pace with changing threats.

6. Enforcement and fines

The NIS-2 Directive endows the supervisory authority with broad powers, distinguishing between essential and important facilities. Authorities now have the power to conduct on-site inspections and to request certain information and data access. Essential facilities are subject to broader oversight powers, including non-emergency measures such as audits, regardless of risk assessment.

In enforcing the duties, authorities can take the same actions against operators of essential facilities as against operators of essential facilities. The authorities have various tools at their disposal, such as issuing binding instructions, setting deadlines, and imposing fines. In the case of essential facilities, the authorities can even order the temporary removal of management personnel.

In addition, there is the threat of severe fines in the event of violations. For operators of essential facilities, the maximum fine is either 10 million euros or 2 percent of annual worldwide turnover, whichever is higher. For operators of essential facilities, the maximum is either 7 million euros or 1.4 percent of annual worldwide turnover, whichever is greater.

Companies subject to the NIS-2 Directive facilities should always also comply with the provisions of the General Data Protection Regulation (GDPR) in the event of a significant security incident. It is possible that personal data will also be affected in the event of a significant security incident. Irrespective of a notification under the provisions of the NIS-2 Directive, the incident must also be reported to the data protection authority in accordance with Article 33 of the GDPR within a reasonable period of time.

In relation to the GDPR, there is a single overriding provision in the NIS-2 Directive. If the DPA imposes a fine under the GDPR, a fine under Article 35 (2) of the NIS-2 Directive is excluded for the same breach. However, other enforcement actions remain possible.

Contact us today to strengthen your cybersecurity together!