UnixTime

Research Note

GDPR Scope, Roles, and Operating Model

A practical starting point for deciding whether GDPR applies, identifying controller and processor roles, and turning legal scope into system ownership.

On this page

Decision first

Do not start with a privacy-policy template. Start by identifying the processing activity, people affected, purpose, systems, jurisdictions, and parties that decide or perform the processing.

What GDPR regulates

GDPR regulates processing of personal data about identified or identifiable natural persons. Processing includes collection, storage, access, use, disclosure, transfer, alteration, restriction, and deletion. The technology is irrelevant: a database, spreadsheet, support ticket, log, paper register, model-training corpus, or backup can all be in scope.

Territorial questions

GDPR can apply to processing in the context of an EU establishment. It can also apply to a controller or processor outside the EU when processing relates to offering goods or services to people in the EU or monitoring their behavior there. Mere website accessibility is not, by itself, enough to prove that goods or services are being offered into the EU.

Role model

Role Core decision Engineering consequence
Controller Determines purposes and essential means Owns lawful basis, notices, rights, retention, processor selection, and accountability evidence
Joint controllers Determine purposes and means together Must allocate responsibilities transparently without removing data-subject rights
Processor Processes personal data on documented controller instructions Needs an Article 28 contract, security controls, subprocessor governance, assistance, and deletion or return duties
Subprocessor Processes data for a processor Requires authorization and equivalent downstream obligations
DPO Advises and monitors where Article 37 requires appointment Must be independent, accessible, adequately resourced, and involved early
EU representative Represents certain non-EU controllers or processors under Article 27 Does not replace controller accountability

Scope record

For every candidate activity, record:

  1. the product, service, or business process;
  2. categories of people and personal data;
  3. purposes and expected outcomes;
  4. systems, logs, exports, backups, suppliers, and recipients;
  5. controller, processor, joint-controller, and subprocessor roles;
  6. establishment, targeting, and monitoring facts relevant to territorial scope;
  7. the owner who approves the scope decision; and
  8. the source law, guidance, contract, and review date.

Common failures

  • Treating all vendors as processors without checking who determines purpose.
  • Assuming a cloud provider owns GDPR accountability because it hosts the database.
  • Scoping only production databases and ignoring logs, support tools, exports, test data, and backups.
  • Claiming GDPR applies globally to every accessible website without analyzing establishment, targeting, or monitoring.
  • Publishing a notice before the processing inventory and role allocation exist.

Primary references

  • Gdpr
  • Privacy
  • Scope
  • Controller
  • Processor
  • Governance

Note Metadata

Aliases: GDPR Overview, GDPR Scope and Roles

Source: https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng