Who is the controller?
Moreover, controllers determine the purposes and the means for a data processing operation. They are either natural persons (e.g. a physician), legal persons (e.g. a company), un-association organisations (e.g. a non-profit organisation) or public administrations (e.g. a municipality).
If an act, decree or ordinance prescribes the purpose and the means of a certain data processing operation, then the controller will also be designated by this act, decree or ordinance.
Controllers do not have to carry out the processing operation themselves, they can appeal to a so-called processor. This implies a type of subcontractorship in which someone else carries out the processing operation under the authority of the controller. A social secretariat often carries out certain processing operations for an employer, and an external book-keeping firm is in charge of a self-employed person's accounting. A supermarket chain can entrust a surveillance firm to install surveillance cameras and look at the footage. Attention: the Privacy Act does not consider as processers those who are under the direct authority of the controller and are consequently authorised to process data (such as a company employee). Processors are always external individuals or bodies.
- Privacy Act, art. 1, §§ 4 and 5
- In general
- Theme sections
- Sensitive data
- Information security
- Data quality
- The different rights
- Cross-border transfers