Article 4 paragraph 7 GDPR:
”„Controller”: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, it may specify who the controller is or according to which criteria it is designated.”
Explanation: those who have the formal legal authority to determine goals and means are, for example, the board of directors, the management, the entrepreneur, the mayor or minister.
The scope of the sanctions from the data breach notification obligation as well as the GDPR broaden the scope of responsibility to supervisors such as the supervisory board, supervisory board or the municipal council. The accountant charged with the statutory audit or the compilation of the annual accounts will check to what extent sanctions may be imposed. If this is material, the auditor cannot approve or compile the financial statements. He will insist on making a provision. The accountant will also check the annual report of the controller and state in his report the extent to which the controller has data protection and privacy in order.
