Article 4(7) of the General Data Protection Regulation1¹ (‘GDPR’) defines the data controller as the natural or legal person that determines the purposes (the ‘why’) and the means (the ‘how’) of personal data processing.2² Article 24 provides that ‘[w]here two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers’. These legislative definitions seem to indicate that the controller decides why and how data is processed. Over time, however, regulatory guidance and judicial interpretations have significantly reduced the threshold of influence that is required. Whereas the determination of the purposes remains a condition (almost always fulfilled as any product or service’s use is motivated by a given objective3³) even the most marginal influence over the means, such as enabling someone else’s processing, suffices to be a controller. Ever more parties intervene in the personal data value chain as a consequence of technical and economic factors and the draft Data Governance Act also pushes in that direction.4⁴ As a consequence, parties with no access to the data or the software used to process it are controllers. The mellow definition of control, coupled with the restrictive reach of the household exemption and the growing decentralization of data collection, storage, and processing entails that ever more parties are controllers. This includes data subjects, which increasingly qualify as controllers both in relation to others’ data as well as their own, something that is antithetical to the GDPR’s objectives and indeed the very structure of the law.

Key Points

• The conception of control in EU data protection law, coupled with the restrictive reach of the household exemption and growing decentralization of data collection, storage, and processing entail that ever more parties are controllers.
• This includes data subjects, which can be controllers in relation to others’ data as well as their own despite this being antithetical to the GDPR’s objectives.
• The expansive approach towards controllership has been motivated by an assumption that the more parties are responsible for compliance, the more protection data subjects enjoy. This article rejects that assumption by highlighting that (i) broad definitions of control fail to achieve the stated objective of the complete and effective protection of data subjects; (ii) are undesirable from a political economy perspective; and (iii) undermine the law’s effectiveness.
• In parallel to the prevailing interpretation of controllership, however, a parallel imagination of the controller, which presupposes meaningful influence over the techno-organizational elements of processing, can be made out. The article closes by suggesting a new test of control that returns to the etymological and conceptual origins of concept by requiring a de minimis threshold of influence over the means of processing.

The expansive approach towards controllership has been motivated by the explicit assumption that the more parties are responsible for compliance, the more protection data subjects enjoy. This article rejects that assumption. It illustrates that it is paradoxical to define actors with no access to the data or relevant software as controllers as they have no means of understanding and shaping related processes and thus cannot comply with controller duties such as the provision of information, system design or the enforcement of data subject rights.

中文翻译：

---

控制的蜘蛛网：欧盟法律中数据控制者的两种想象

《通用数据保护条例》^{1 1}（“GDPR”）第 4(7) 条将数据控制者定义为确定个人数据处理目的（“为什么”）和方式（“如何”）的自然人或法人.2 ²第 24 条规定，“当两个或多个控制者共同确定处理的目的和方式时，他们应为共同控制者”。这些立法定义似乎表明控制者决定为什么和如何处理数据。然而，随着时间的推移，监管指南和司法解释显着降低了所需的影响门槛。尽管目的的确定仍然是一个条件（几乎总是满足，因为任何产品或服务的使用都是由给定的目标^{3 3}推动的），即使是对手段的最边际影响，例如启用他人的处理，也足以成为控制者。由于技术和经济因素，越来越多的各方介入个人数据价值链，数据治理法案草案也朝着这个方向推进。^{4 4}因此，无法访问数据或用于处理数据的软件的各方是控制者。控制的柔和定义，加上家庭豁免的限制范围以及数据收集、存储和处理的日益分散化，要求越来越多的各方成为控制者。这包括数据主体，他们越来越有资格成为与他人数据以及他们自己的数据相关的控制者，这与 GDPR 的目标以及法律的结构本身背道而驰。

关键点

• 欧盟数据保护法中的控制概念，加上家庭豁免的限制性范围以及数据收集、存储和处理的日益分散化，要求越来越多的各方成为控制者。
• 这包括数据主体，尽管这与 GDPR 的目标背道而驰，但他们可以是与他人数据以及他们自己的数据相关的控制者。
• 对控制权采取广泛的方法是基于这样一种假设，即负责合规的各方越多，数据主体享有的保护就越多。本文通过强调 (i) 控制的广泛定义未能实现完整和有效保护数据主体的既定目标来拒绝该假设；(ii) 从政治经济学的角度来看是不可取的；(iii) 破坏法律的有效性。
• 然而，与对控制权的普遍解释并行的是，可以得出对控制者的平行想象，它预设了对处理的技术组织元素的有意义的影响。文章最后提出了一种新的控制测试，该测试通过要求对处理手段的影响达到最低限度的阈值，回到概念的词源和概念起源。

对控制权的扩展方法是由明确的假设推动的，即负责合规的各方越多，数据主体享有的保护就越多。这篇文章拒绝了这个假设。它说明将无法访问数据或相关软件的行为者定义为控制者是自相矛盾的，因为他们无法理解和塑造相关流程，因此无法履行控制者职责，例如提供信息、系统设计或执行数据主体权利。