Practically every organisation in the world processes personal data. In fact, it is difficult to imagine a single organisation which does not regularly collect, store or access information about individuals. European data protection law imposes a series of requirements designed to protect individuals against the risks that result from the processing of their data. It also distinguishes among different types of actors involved in the processing and sets out different obligations for each type of actor. The most important distinction in this regard is the distinction between “controllers” and “processors”. Together these concepts provide the very basis upon which responsibility for compliance with EU data protection law is allocated. As a result, both concepts play a decisive role in determining the potential liability of an organisation under EU data protection law.

For almost 15 years, Directive 95/46 stood strong as the central instrument of EU data protection law. In 2010, however, the European Commission announced that the time for change had come. The Commission considered that while the objectives and principles of Directive 95/46 remained sound, revisions were necessary in order to meet the challenges of technological developments and globalisation. A public consultation conducted in 2009, had revealed concerns regarding the impact of new technologies, as well as a desire for a more comprehensive and coherent approach to data protection. During the consultation, several stakeholders also raised concerns regarding the concepts of controller and processor. Various solutions were put forward, ranging from minor revision to outright abolition of the concepts. In the end, the EU legislature opted to retain the existing concepts of controller and processor in the General Data Protection Regulation (GDPR). Notable changes were made, however, with regards to the allocation of responsibility and liability among the two types of actors.

Technological and societal developments have rendered it increasingly difficult to apply the concepts of “controller” and “processor” in practice. The complexity of today's processing operations is such that a clear-cut distinction between “controllers” and “processors” is not always possible. Identifying “who's who” can be particularly difficult when the processing involves a large number of actors, who each play their own distinct role in realising the goal(s) of the processing.