Controller & Processor
A person who determines the purposes and means of the processing (using) of personal data is called a controller. A person who actually processes (uses) personal data is called a processor. Sometimes controller and processor is the same person but the processor may also be another person acting on behalf of the controller. Also you, yourself, may be involved in the processing of other people’s data. For example, if your fellow students have shared their passport numbers and identity codes with you, so that you can buy online flight tickets for your joint trip, you have now become a user of their personal data.
However, there is an exception when you, as an individual, are not considered to be a data user: if you process someone’s personal data for purely personal or household activities and, at the same time, you don’t disclose this data to third parties.
If there has been a personal data breach which might result in a risk to the rights and freedoms of a person whose data have been processed, the controller has to inform about it the particular person and the Data State Inspectorate.
example A personal data breach of such a nature may be a publication of personal data of a particularly sensitive nature, such as data concerning personal health and sex life, as it infringes person’s right to private life.
Applicable as of 25 May 2018
Articles 2 (2) c, 4 (7) and (8), 24-34
Joint publication by the EU Agency for Fundamental Rights and the Council of Europe
9 October 2015
See Summary on case law regarding the access to data
(2019-2019), pages 44-49