Both a natural and legal person can be a personal data controller according to the GDPR. In addition, it may be a public authority or institution. In some cases, there may also be two parties who are responsible for personal data. This means that both parties determine the conditions for the processing together.
Article 4 (7) of the GDPR states the definition of a personal data controller. The personal data controller is the person who decides for what purposes personal data is to be processed, and how the processing is to take place . The Controller is responsible for ensuring that the processing takes place in accordance with all the provisions of the GDPR.
A personal data controller has certain rights and obligations. In some cases, a personal data controller needs to appoint a data protection officer (DPO). It is also common for a company to need to make a privacy impact assessment. For example, if the processing is likely to result in a high risk for the rights and freedoms of natural persons. It is Article 35 of the GDPR that states this. Also, the company must consult with the Supervisory Authority before a processing of personal data.
A natural and legal person may be responsible for personal data
In a limited liability company, it is the limited liability company as such that is responsible for personal data. In addition, the board has the ultimate responsibility and must ensure that the company complies with the GDPR. Companies can appoint a specific person who will ensure a correct processing of personal data. And to ensure that the company has policies and internal routines regarding GDPR.
If a company does not comply with the GDPR, the Supervisory Authority can award an administrative sanction fee. The sanction fee can amount to EUR 20 million or 4% of annual sales if it is a material breach of the GDPR. The size of the sanction fee depends, among other things, on the size of the company. Also, how the company has violated the GDPR and acted thereafter.