Skip to content
Skip to page content

1. The controller is responsible for the processing of personal data

The icon features an open palm holding a rectangle, which represents personal data, with a symbol depicting a person in the centre. The icon is surrounded by a light green frame. This icon can be used to express that the situation involves the controller's obligations related to the processing of personal data.

The party that determines for what purposes and how personal data is being processed in hobby activities is the controller. As a rule, the party responsible for the hobby activity is the controller of the personal data. It is the controller’s duty to ensure that the processing of personal data complies with the data protection legislation.

The definition of ‘controller’ is functional: the purpose of the definition is to allocate responsibility for compliance with data protection regulations to the party that can actually influence the processing. When a hobby organiser uses an external service provider for managing the personal data of participants, an ERP system provided by an IT service provider, or an accounting firm for drawing up its accounts, the hobby organiser is the controller of the personal data processed by these external service providers, because it decided how and for what purposes the personal data is processed. In such cases, the external service provider is the processor. Even though the processor is processing the hobby organiser’s personal data, as the controller, the hobby organiser remains responsible for the personal data.

Example

A gymnastics club processes the personal data of various people in its activities. It processes the club members’ personal data for enabling hobby activities, the personal data of the club’s coaches for the payment of wages, the data of contestants in gymnastics competitions organised by the club, as well as the personal data of representatives of the club’s sponsors. The gymnastics club processes the club members’ personal data in the SPLITS system provided by Sports Systems Inc.

The gymnastics club considers the club’s Board to be the controller of the personal data processed in the club’s activities, because the Board is responsible for the gymnastics club’s activities and has determined the above-mentioned purposes and means for the processing of personal data in the hobby activity. The club’s Board is also the controller of the personal data being processed in the SPLITS system even though Sports Systems Inc is providing the system to the gymnastics club, because the Board has determined how the data is to be processed and which club employees can process which data in the system. Sports Systems Inc Oy serves as the processor of the personal data contained in the system.

In this example the Gymnastics club Board is the controller

  • determines why and how the personal data is processed

In this example Sports Systems Inc. is the processor

  • processes personal data on behalf of the controller and according to its instructions

Remember

The controller determines for which purposes personal data is processed and how.

What roles are involved in processing?
2. A processor acts on behalf of the controller