Skip main navigation
We use cookies to give you a better experience, if that’s ok you can close this message and carry on browsing. For more info read our cookies policy.
We use cookies to give you a better experience. Carry on browsing if you're happy with this, or read our cookies policy for more information.

Skip to 0 minutes and 7 secondsLet's now discuss the key data protection roles that are established by the General Data Protection Regulation. These are the main actors in the context of the new data protection regime that you should be aware of. Given that persons and entities involved in the processing of personal data do not have the same degree of legal responsibility, there is significant distinction made between data controllers and data processors. The former, acting as captains on board of ships, have more far-going legal responsibilities than the latter, who operate as seamen on ships. The obligations of controllers and processors will be addressed later in this course.

Skip to 0 minutes and 48 secondsData controller or simply controller, entails the natural or legal person, public authority, or any other body that alone or together with others determines the purposes and means of the processing of personal data. Basically, controllers decide what happens with personal data and are responsible for the processing. Among this category of actor, one can find numerous natural persons, such as pharmacists, politicians, lawyers, and others who can process information about individuals, as well as legal persons, such as companies, governmental organisations, non-profit organisations, educational institutions, and others. In addition, we also have processors implying the natural or legal persons, public authorities, or other bodies that engage in the processing of personal data on behalf of controllers.

Skip to 1 minute and 43 secondsNaturally, these persons and entities can be the same as controllers, but their tasks and responsibilities are more limited, given that they only process personal data on controllers behalf. They are required, for instance, to maintain a record of all processing activities and ensure the security of processing, but do not have the main responsibility to apply the data protection by design and by default principle or carry out the data protection impact assessment, which needs to be done by the controllers. An important type of actor, from the perspective of the GDPR, are data subjects who are, in essence, identified or identifiable natural persons whose personal data are processed.

Skip to 2 minutes and 27 secondsIn short, it means that they are individuals, like you and me, who have certain personal information that is being processed. Importantly, these persons have significant rights under the GDPR regime that will be examined later in this course. The regulation requires controllers and processors to appoint Data Protection Officers or simply DPOs. They are designated on the basis of their professional qualities and more specifically on the basis of their expert knowledge of data protection law and practices and the ability to fulfil the tasks that must be carried out by them. Here you can see the DPO of the University of Groningen. He will tell you more about himself later in the course.

Skip to 3 minutes and 10 secondsDPOs have significant tasks in any organisation and are responsible for informing and advising controllers, processors, and their employees; monitoring compliance with the GDPR, with other EU and national data protection rules, and with the actual policies of controllers and processors with regard to the processing of personal data; and carrying out other important activities. Finally, one should not forget about supervisory authorities and the European Data Protection Board replacing the Article 29 Data Protection Working Party established under the Directive 95/46/EC. The functioning, the tasks, and the responsibilities of these entities will be explained in more detail later in this course.

Skip to 3 minutes and 58 secondsWe have just learned quite a lot about the key data protection roles from the perspective of the General Data Protection Regulation and should now be able to find our way in the labyrinth of rules laid down in the regulation that are applicable to them.

Key data protection roles

Getting to know the main actors under the GDPR and their key data protection roles is crucial to understanding this regulation.

You can find the relevant articles of the GDPR concerning each actor by clicking on the links in this table:

Actor Article
Data controller Article 4(7) GDPR
Data processor Article 4(8) GDPR
Data subject Article 4(1) GDPR
Data Protection Officer (DPO) Articles 37-39 GDPR
Supervisory authorities Article 4(21) GDPR and Article 51 GDPR
European Data Protection Board Recital 139 GDPR and Article 68 GDPR

Share this video:

This video is from the free online course:

Understanding the General Data Protection Regulation

University of Groningen

Contact FutureLearn for Support