Skip to content

A controller refers to the entity that determines the “purpose and means” of how personal data will be processed. Determining the “purpose” of processing refers to deciding why information will be processed. Determining the “means” of processing refers to deciding how information will be processed.[1] That does not necessarily mean, however, that a controller needs to make every decision about how processing will occur. The European Data Protection Board (EDPB) distinguishes between “essential means” and “non-essential means” of processing.[2] Essential means refers to those processing decisions that are closely linked to the purpose and the scope of processing and, therefore, are considered by the EDPB to be “traditionally and inherently reserved to the controller.”[3] Non-essential means refers to processing decisions that are more practical, day-to-day, implementation decisions and can be left to the discretion of a processor. These include such things as the type of computers or software that an organization decides to use.

The EDPB has suggested that accountants may act as controllers or processors in different situations. The following describes those situations in which an accountant might take on controller-related functions and, therefore would be considered a controller:

Controller Functions Present
Purpose of processing
Why. The entity determines why the processing is taking place. X
Essential means
Data types. The entity determines which data will be processed. The EDPB recognized that in some situations an accounting firm may need to determine what data it needs to have in order to carry out its auditing function. When this occurs, the EDPB has suggested the accounting firm would be considered a controller.
Duration. The entity determines how long data is processed / stored.  The EDPB recognized that in some situations an accounting firm may need to determine how long information collected should be kept (e.g., to satisfy legal obligations imposed upon the accounting firm). When this occurs, the EDPB has suggested the accounting firm would be considered a controller.
Recipients. The entity determines who shall have access to the data outside of the organization. X
Data subjects. The entity determines whose personal data is processed.  The EDPB recognized that in some situations an accounting firm may need to determine whose personal information needs to be accessed or viewed. When this occurs, the EDPB has suggested the accounting firm would be considered a controller.

[1]           EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 33.

[2]           EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

[3]           EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.