1368. MAIN RESEARCH QUESTION – The distinction between controllers and processors is central to EU data protection law. Unfortunately, certain technological and social developments have rendered it increasingly difficult to apply this model in practice, thereby leading to legal uncertainty. The main research question this book set out to answer is whether the allocation of responsibility and liability among actors involved in the processing of personal data could be revised in a manner which increases legal certainty while maintaining at least an equivalent level of data protection. In order to answer this question, four sub-questions helped guide the research, namely:

1369. NATURE AND ROLE OF CONCEPTS – The concept of a controller is a functional concept: it enumerates a set of criteria with a view of allocating responsibilities upon those actors who exercise significant factual influence over the processing. The processor concept likewise serves to allocate responsibility, but is dependent primarily on a decision of a controller to enlist a separate actor to process personal data on its behalf. The primary role of both the controller and processor concepts is to allocate responsibility. In addition, both the controller and processor concepts play an important role in the determination of which law(s) applies (apply) to the processing, and in the determination of what is required in order to comply with certain substantive provisions of European data protection law.

1370. ORIGIN AND DEVELOPMENT – Before the term “controller” became a term of art, those responsible for ensuring compliance with data protection laws went by many names. Despite notable differences in terminology, two recurring elements can be distinguished. The first element is the element of mastery: the actor designated as being responsible for compliance had the ability to exercise power over the processing, in one form or another.