Who's who in data protection terms?

The main actors in the world of data protection are you, the data subject; the organisation or person who is processing personal data relating to you, the data controller; and the supervisory authority. In Ireland the supervisory authority is the Data Protection Commission, often shortened to DPC.

We’ve already covered the data subject – that’s you – in ‘What’s a data subject anyway?’, so let’s move on to the others.

The data controller

The data controller is the organisation or person who decides which personal data is processed, for what reasons and how – in the words of the law “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (GDPR, Article 4).
The data controller's obligations

Every data controller, big or small, has to process your personal data in compliance with the GDPR, and any additional local data protection laws.

There are seven principles of data protection set out in the GDPR. All processing of your personal data must abide by these principles. The principles cover

  • lawfulness, fairness and transparency
  • purpose limitation
  • data minimisation
  • data accuracy
  • storage limitation
  • integrity and confidentiality
  • accountability

Any processing of personal data which is not in line with all of these principles is not compliant with the law. The principles are explained in more detail in ‘What the data protection principles mean for you’.

All processing of your personal data by any data controller must have a lawful basis. In other words they must have a good reason to process personal data concerning you. There are six lawful bases. Contrary to what you may have read or heard elsewhere, you giving your consent to the data controller is not the only lawful basis which can be used to process your personal data. Far from it.

These lawful bases are

  • Two based on an agreement between you and the data controller – contract and consent
  • Two which are subjective – vital interests and legitimate interests
  • Two based on a law – performance of a task carried out in the public interest or in the exercise of official authority vested in the controller and compliance with a legal obligation

You can read more about lawful basis in ‘Lawful basis: a short explanation’.

The Independent Supervisory Authority

The supervisory authority is responsible for making sure all personal data processing in its jurisdiction is done fairly and in accordance with the law. You have a right to complain to the Data Protection Commission about any processing of your personal data which you feel infringes data protection law. The Data Protection Commission supervises all processing of personal data by both private and public sector data controllers. It must be independent of government since it is responsible for regulating the use of personal data by government bodies.
“Both EU and CoE law view the existence of independent supervisory authorities as indispensable for the effective protection of the individuals’ rights and freedoms regarding the processing of their personal data”
(Handbook on European data protection law, 2018 edition, p189)

You might think if you have a complaint about an organisation processing your personal data then you should go straight to the DPC. In reality this isn’t how the system works. In most cases the DPC will ask you to try and resolve the issue by talking to the data controller. You have to do a lot of the evidence gathering, frequently by using your right of access to examine what personal data of yours is being processed, and whether that processing is being done in accordance with the law.

In summary, you have extensive rights, every data controller who processes your personal data has extensive obligations and the Data Protection Commission’s job is to make sure your rights are protected and that data controllers are meeting their obligations.

Other actors

There are some more actors on the data protection stage who you might need to be aware of so here’s a quick summary of who they are and what their roles are relative to you.

Data Processors

An organisation or person who processes data on behalf of the data controller. As a data subject you shouldn’t have to have any interactions with data processors since the data controller is responsible for ensuring all data processors they employ act in accordance with the law.


An organisation or person who personal data is shared with. As part of your right to information a data controller has to tell you “the recipients or categories of recipients of the personal data, if any” (GDPR, Article 13 & Article 14).

Data Protection Officers

Some – but not all – organisations who process personal data must appoint a Data Protection Officer. The Data Protection Officer is “a person with expert knowledge of data protection law and practices” who “should assist the controller or processor to monitor internal compliance with this Regulation.” (GDPR, Recital 97).

All public authorities (government departments, government agencies etc.) must have a Data Protection Officer. If an organisation does have a Data Protection Officer you have a right to contact them.

Where next?

Read more elsewhere

‘What is a data controller or a data processor?’, European Commission.

‘Definition of Key Terms’, Data Protection Commission of Ireland


Data Protection Fundamentals (basics, definitions and more …)
Your Rights (all your data protection rights: access, information, rectification and more …)
In More Detail (explorations and explanations of data protection concepts …)
Keeping Track (tracking Subject Access Requests and complaints to Supervisory Authorities …)