Who is the controller?

It is very important to know who the Privacy Act designates as "controller", because this is the person who has to comply with almost all of the obligations imposed by the Privacy Act. In case of difficulties, controllers are responsible.


The controller is the most important point of contact for data subjects, but also for the authorities that have to supervise controllers.

Moreover, controllers determine the purposes and the means for a data processing operation. They are either natural persons (e.g. a physician), legal persons (e.g. a company), un-association organisations (e.g. a non-profit organisation) or public administrations (e.g. a municipality).

If an act, decree or ordinance prescribes the purpose and the means of a certain data processing operation, then the controller will also be designated by this act, decree or ordinance.

Controllers do not have to carry out the processing operation themselves, they can appeal to a so-called processor. This implies a type of subcontractorship in which someone else carries out the processing operation under the authority of the controller. A social secretariat often carries out certain processing operations for an employer, and an external book-keeping firm is in charge of a self-employed person's accounting. A supermarket chain can entrust a surveillance firm to install surveillance cameras and look at the footage. Attention: the Privacy Act does not consider as processers those who are under the direct authority of the controller and are consequently authorised to process data (such as a company employee). Processors are always external individuals or bodies.


  • Privacy Act, art. 1, §§ 4 and 5