Roles & Responsibilities in Processing Personal Data

Personal data that is processed in accordance with EU Data Protection Regulation (EC) 45/2001 on the protection of individuals, regarding the processing of personal data must respect data protection roles. It is necessary to identify the Controller, Processor and their interaction, in order to determine “who is responsible for compliance with data protection rules, how data subjects can exercise their rights, which is the applicable national law and how effective Data Protection Authorities can operate.”

European Data Protection Supervisor (EDPS)

The EDPS is an independent supervisory authority whose primary objective is to ensure European bodies and institutions respect the right to privacy and data protection when they process personal data and develop new policies. The EDPS is also responsible for advising EC institutions and bodies on all matters that have an impact on the protection of personal data. This may apply to proposals for new EU legislation, as well as other instruments, such as communications of the European Commission. Finally, the EDPS is also responsible for intervening in cases before the Court of Justice, as well as cooperating with national supervisory authorities and supervisory bodies in the “third pillar” of the EU. This is in order to improve consistency in the protection of personal data.

The main duties of the EDPS are:

I.                    Supervision

  • Monitor the processing of personal data be EC institutions and bodies. This is typically done in cooperation with the Data Protection Officer (see below).
  • Hearing and investigating complaints, conducting inquiries (either initiated by the EDPS, or on the basis of a complaint).
  • Prior checking DPO’s notifications of processing operations, which could present risks to the data subjects.
  • Provide consulting services to EC institutions and bodies on administrative measures having to do with the processing of personal data.

II.                  Consultation

  • Advise all EC institutions and bodies on matters that relate to the processing of personal data.
  • Intervene in cases related to data protection, before the Court of Justice.

III.                Cooperation

  • Cooperate with national data protection authorities.
  • Cooperate with the supervisory data protection bodies.
  • Participate win regular international conferences on data protection (e.g. the European and the International Data Protection Conferences).

Data Protection Officer (DPO)

Under Regulation (EC) 45/2001, each Community institution and body must have a data protection officer (DPO). The DPO is responsible for ensuring the internal application of the Regulation, and that the rights and freedoms of the data subjects are not likely to be adversely affected by any processing operations. The DPO must also keep a register of processing operations notified by the controllers of the institution or body where he/she works.

Other DPO functions include:

  • Ensuring controllers and data subjects are informed of their rights and obligations
  • Carrying out inquiries, when necessary
  • Notifying the EDPS of processing operations that may present specific risks
  • Responding to any requests from the EDPS and cooperating with the EDPS

A full list of data protection officers is available here.

Data Controllers

The term “data controller” refers to an individual or legal person who controls and is responsible for the keeping and use of personal information on a computer, or in structured manual files. In essence, data controllers keep or process any information about living people. Any organizations that control or are responsible for personal data are also considered data controllers.

Examples of data controllers include:

  • Companies
  • Government departments
  • Voluntary organizations
  • Individuals (e.g. general practitioners, pharmacists, politicians and sole traders)

Data Processors

Data processors refer to anyone who holds or processes personal data, without exercising responsibility for/control over the personal data. In certain cases, it is possible for a single company/person to be both a data controller and data processor at the same time, in respect of distinct sets of personal data.

Examples of data processors include:

  • Payroll companies
  • Accountants
  • Market research companies

Data Subject

The data subject refers to the person whose personal data are collected, held or processed by the data controller.


This article takes a look at the legal roles of various parties, according to the Regulation (EC) 45/2010, namely: data subjects, data processors, data controllers, data protection officers and the European Data Protection Supervisor (EDPS).

CIPP Exam Preparation

In preparation for the Certified Foundation Examination (Foundations), a privacy professional should be comfortable with topics related to this post, including:

  • Processing of personal data – roles (I.A.e.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>