EU data protection law imposes a series of requirements designed to protect individuals against the risks that result from the processing of their data. It also distinguishes among different types of actors involved in the processing, setting out different obligations for each actor. The most important distinction in this regard is the distinction between “controllers” and “processors”. Together, these concepts provide the very basis upon which responsibility for compliance with EU data protection law is allocated. As a result, both concepts play a decisive role in determining the potential liability of an organisation under EU data protection law, including the General Data Protection Regulation (GDPR).



Technological and societal developments have made it increasingly difficult to apply the controller-processor model in practice. The main factors are the growing complexity of processing operations, the diversification of processing, services and the sheer number of actors that can be involved. Against this background, this book seeks to determine whether EU data protection law should continue to maintain the controller-processor model as the main basis for allocating responsibility and liability.



This book provides its readers with the analytical framework to help them navigate the intricate relationship of roles, responsibility and liability under EU data protection law. The book begins with an in-depth analysis of the nature and role of the controller and processor concepts. The key elements of each are examined in detail, as is the associated allocation of responsibility and liability. The next part contains a historical-comparative analysis, which traces the origin and development of the controller-processor model over time. To identify the main problems that occur when applying the controller-processor model in practice, a number of real-life use cases are examined (cloud computing, social media, identity management and search engines). In the final part, a critical evaluation is made of the choices made by the European legislature in the context of the GDPR. It is clear that the GDPR has introduced considerable improvements in comparison to EU Directive 95/46. In the long run, however, further changes may well be necessary. By way of conclusion, a number of avenues for possible improvements are presented.