Skip main navigation

£199.99 £139.99 for one year of Unlimited learning. Offer ends on 28 February 2023 at 23:59 (UTC). T&Cs apply

Find out more

Key data protection roles

The GDPR addresses key data protection roles, such as data controllers, data processors and data subjects. Watch Evgeni Moyakine explain more.
Let’s now discuss the key data protection roles that are established by the General Data Protection Regulation. These are the main actors in the context of the new data protection regime that you should be aware of. Given that persons and entities involved in the processing of personal data do not have the same degree of legal responsibility, there is significant distinction made between data controllers and data processors. The former, acting as captains on board of ships, have more far-going legal responsibilities than the latter, who operate as seamen on ships. The obligations of controllers and processors will be addressed later in this course.
Data controller or simply controller, entails the natural or legal person, public authority, or any other body that alone or together with others determines the purposes and means of the processing of personal data. Basically, controllers decide what happens with personal data and are responsible for the processing. Among this category of actor, one can find numerous natural persons, such as pharmacists, politicians, lawyers, and others who can process information about individuals, as well as legal persons, such as companies, governmental organisations, non-profit organisations, educational institutions, and others. In addition, we also have processors implying the natural or legal persons, public authorities, or other bodies that engage in the processing of personal data on behalf of controllers.
Naturally, these persons and entities can be the same as controllers, but their tasks and responsibilities are more limited, given that they only process personal data on controllers behalf. They are required, for instance, to maintain a record of all processing activities and ensure the security of processing, but do not have the main responsibility to apply the data protection by design and by default principle or carry out the data protection impact assessment, which needs to be done by the controllers. An important type of actor, from the perspective of the GDPR, are data subjects who are, in essence, identified or identifiable natural persons whose personal data are processed.
In short, it means that they are individuals, like you and me, who have certain personal information that is being processed. Importantly, these persons have significant rights under the GDPR regime that will be examined later in this course. The regulation requires controllers and processors to appoint Data Protection Officers or simply DPOs. They are designated on the basis of their professional qualities and more specifically on the basis of their expert knowledge of data protection law and practices and the ability to fulfil the tasks that must be carried out by them. Here you can see the DPO of the University of Groningen. He will tell you more about himself later in the course.
DPOs have significant tasks in any organisation and are responsible for informing and advising controllers, processors, and their employees; monitoring compliance with the GDPR, with other EU and national data protection rules, and with the actual policies of controllers and processors with regard to the processing of personal data; and carrying out other important activities. Finally, one should not forget about supervisory authorities and the European Data Protection Board replacing the Article 29 Data Protection Working Party established under the Directive 95/46/EC. The functioning, the tasks, and the responsibilities of these entities will be explained in more detail later in this course.
We have just learned quite a lot about the key data protection roles from the perspective of the General Data Protection Regulation and should now be able to find our way in the labyrinth of rules laid down in the regulation that are applicable to them.

Getting to know the main actors under the GDPR and their key data protection roles is crucial to understanding this regulation.

You can find the relevant articles of the GDPR concerning each actor by clicking on the links in this table:

Actor Article
Data controller Article 4(7) GDPR
Data processor Article 4(8) GDPR
Data subject Article 4(1) GDPR
Data Protection Officer (DPO) Articles 37-39 GDPR
Supervisory authorities Article 4(21) GDPR and Article 51 GDPR
European Data Protection Board Recital 139 GDPR and Article 68 GDPR
This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education