Dictionary

Controller

The information material provided by “Your Data. Your Rights.” often speaks of “providers” and “data-processing companies”. The legally correct term from the General Data Protection Regulation, however, is “controller” or “data controller”. This refers to any natural or legal person, authority or other body that decides on data processing or processes data.

In Germany, the Federal Data Protection Act applies to public and non-public bodies. Public bodies are, for example, federal and state authorities, while non-public bodies are companies and associations.

Examples of companies that can be considered “responsible” are providers of social networks or mail software, but also insurance companies, doctors’ offices or mail order companies.

See also Processor

Article 4(7) GDPR (Definitions)

“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law

Source: Regulation (EU) 2016/679

Section 2 BDSG (Definitions)

(1) Public bodies of the Federation are the authorities, judicial bodies and other public law institutions of the Federation, of direct federal corporations, statutory bodies and foundations established under public law and of their associations irrespective of their legal form.

(2) Public bodies of the Länder are the authorities, judicial bodies and other public law institutions of a Land, a municipality, an association of municipalities or of other legal persons under public law subject to Land supervision and of their associations irrespective of their legal form.

(3) Associations of public bodies of the Federation and the Länder which are established under private law and perform tasks of public administration shall be regarded as public bodies of the Federation irrespective of the participation of private bodies if
1. they operate beyond the borders of a Land, or
2. the Federation holds the absolute majority of shares or controls the absolute majority of votes.

Otherwise they shall be regarded as public bodies of the Länder.

(4) Private bodies are natural and legal persons, societies and other associations established under private law unless they are covered by subsections 1 to 3. If a private body performs sovereign tasks of the public administration, it shall be a public body as defined in this Act.

(5) Public bodies of the Federation shall be regarded as private bodies as defined in this Act if they take part in competition as enterprises governed by public law. Public bodies of the Länder shall also be regarded as private bodies as defined in this Act if they take part in competition as enterprises governed by public law and carry out federal law, and if data protection is not governed by Land law.

Source: German Federal Data Protection Act

 

A
B
C