Which data protection roles and responsibilities apply?

Data protection roles and responsibilities within the data intermediary are clearly defined and depend on the specific use case and the agreements concluded between the involved parties.

Controllers and purposes of processing

Data holders and data users typically act as data controllers, as they determine the purposes and means of processing, in particular which data is shared, accessed, or further processed.

Role of the data intermediary

The data intermediary operates in a neutral manner and does not independently determine the purposes of data processing. Depending on the setup, the intermediary may act as a processor or as a controller for clearly defined technical and organisational processing activities.

Service providers and downstream processing

Service providers may act either as independent controllers or as processors when processing data on behalf of data holders or data users. The applicable role is clearly defined in the respective service agreements.

Contractual definition of roles

Data protection roles and obligations are clearly documented in the relevant contracts, in particular in data agreements, service agreements, and supplementary data protection provisions, ensuring transparency for all parties.

Joint controllership

Where multiple parties jointly determine the purposes and means of processing, joint controllership under Article 26 GDPR is contractually established and responsibilities for handling data subject rights are clearly allocated.

Safeguarding data subject rights

Regardless of the allocation of roles, all parties ensure that data subject rights under the GDPR are respected and that related requests can be handled efficiently and in a coordinated manner.