{"id":10741,"date":"2025-06-17T10:23:42","date_gmt":"2025-06-17T08:23:42","guid":{"rendered":"https:\/\/s8.tgin.eu\/?p=10741"},"modified":"2025-07-08T13:55:44","modified_gmt":"2025-07-08T11:55:44","slug":"data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\/","title":{"rendered":"Data protection digest\u00a02-16 June 2025: Data controller, processor, how to properly identify your GDPR role"},"content":{"rendered":"\n<h4 class=\"wp-block-heading\"><strong>GDPR role, how to determine? <\/strong><\/h4>\n\n\n\n<p>The French privacy regulator CNIL reviews the criteria and practical consequences of determining the GDPR role of data controllers and processors. The qualification <a href=\"https:\/\/www.cnil.fr\/fr\/rgpd-comment-bien-identifier-son-role\">does not always depend on a contractual choice but on the facts<\/a>: who decides what, and who executes what, concerning personal data. <strong>The controller <\/strong>is the natural or legal person who determines both the purposes and the means of the processing, the &#8220;why&#8221; and &#8220;how&#8221; of the use of personal data, ensures compliance with the GDPR, but does not necessarily have actual access to the data:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The essential means: what personal data is collected and used, for how long, who the recipients are, etc.<\/li>\n\n\n\n<li>Non-essential means: technical implementation, such as the choice of software.<\/li>\n\n\n\n<li>Where two or more controllers jointly determine the purposes and means of the processing, they are joint controllers.<\/li>\n<\/ul>\n\n\n\n<p><strong>The processor<\/strong>, meanwhile, is a person or body that processes personal data on behalf of the controller. They must always comply with the instructions given by the controller. Sometimes, they can choose the technical means that seem most suitable, <a href=\"https:\/\/www.cnil.fr\/fr\/rgpd-comment-bien-identifier-son-role\">as long as this respects the objectives set by the controller<\/a>. If the processor decides on the objectives and means itself they exceed their GDPR role. In this case, they are considered to be the data controller and may be sanctioned.&nbsp;<\/p>\n\n\n\n<p>Only under certain conditions may the processor reuse the data entrusted to them by the data controller for their own purposes. For example, a subcontractor may reuse data for the purpose of improving its cloud computing services. Such re-use could be considered compatible with the original processing, subject to appropriate safeguards such as anonymisation. On the other hand, their reuse for commercial prospecting purposes would hardly <a href=\"https:\/\/www.cnil.fr\/fr\/sous-traitants-la-reutilisation-de-donnees-confiees-par-un-responsable-de-traitement\">satisfy the &#8220;compatibility test&#8221;<\/a>.<\/p>\n\n\n\n<p><a href=\"#newslettersignup\"><strong>Stay up to date! Sign up to receive our fortnightly digest via email.<\/strong><\/a><\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>UK data <\/strong>reform<\/h4>\n\n\n\n<p>The Data Use and Access Bill (DUAB) has<a href=\"https:\/\/www.parliament.uk\/business\/news\/2025\/may\/data-use-and-access-bill-lords-consideration-of-commons-amendments\/\"> passed Parliament<\/a> and now awaits the Royal Assent, when it will become law. The bill introduces a framework of \u2018smart data\u2019 schemes to regulate the access, sharing, and protection of customer and business data across various sectors. It introduces, among other things, a recognised legitimate interest list to streamline data use for public safety, interoperable medical records and timely access for professionals, while <a href=\"https:\/\/www.wired-gov.net\/wg\/news.nsf\/articles\/Data+Use+and+Access+Bill+Passes+Ushering+in+New+Era+for+UK+Innovation+13062025162000?open\">maintaining a risk-based approach to automated decision-making<\/a> and sensitive personal information, etc. The<a href=\"https:\/\/digitalpolicyalert.org\/event\/31009-data-use-and-access-bill-including-data-protection-authority-governance-was-adopted-by-parliament\"> UK Information Commissioner is tasked with enforcing<\/a> the regulations that will be introduced under the bill.&nbsp;The UK now benefits from the EU&#8217;s adequacy regime for personal data transfers, which was extended by six months on the Commission&#8217;s recommendation, until the end of 2025. This allows the UK government to complete the DUAB in advance of Brussels&#8217; next adequacy assessment.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">More legal updates<\/h4>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:30% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXeVEnfQjiTJhjmFfjV3bmssaginrYbO5GDlg71oDTWGuNFzQCb5uEm-XIsRP2RO8C8OCO347pHdeqUU3VxQvuVKK-phiqptBWKILXJGjk24rY7_GoRAPnr2JlS3zeNY5CXimeSO7A?key=ImSrWQgdUnnHkwO7rWgkIA\" alt=\"\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p><strong>EDPB latest: <\/strong>The European Data Protection Board has published the final version of guidelines on data transfers to third-country authorities. The EDPB clarifies how organisations can best assess under which conditions they can lawfully respond to requests for personal data from non-European authorities. For example, the updated guidelines address the situation where the recipient of a request is a processor, or where <a href=\"https:\/\/www.edpb.europa.eu\/our-work-tools\/our-documents\/guidelines\/guidelines-022024-article-48-gdpr_en\">a mother company in a third country receives a request from that country&#8217;s authority and then requests the personal data from its subsidiary in Europe<\/a>.&nbsp;<\/p>\n<\/div><\/div>\n\n\n\n<p>The EDPB also published training material on <a href=\"https:\/\/techgdpr.com\/blog\/ai-and-the-gdpr-understanding-the-foundations-of-compliance\/\">AI and data protection<\/a> addressed to professionals with a legal and technical focus, such as <a href=\"https:\/\/www.edpb.europa.eu\/our-work-tools\/our-documents\/support-pool-experts-projects\/law-compliance-ai-security-data_en\">data protection officers<\/a>, privacy professionals, <a href=\"https:\/\/www.edpb.europa.eu\/our-work-tools\/our-documents\/support-pool-experts-projects\/fundamentals-secure-ai-systems-personal_en\">cybersecurity professionals<\/a>, developers or deployers of high-risk AI systems.&nbsp;<\/p>\n\n\n\n<p><strong>High-risk AI: <\/strong>The European Commission opened a <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/news\/commission-launches-public-consultation-high-risk-ai-systems\">consultation on the classification of AI systems as high-risk<\/a> as part of the implementation of the AI Act, until 18 July. AI systems that classify as high-risk must be developed and designed to meet the requirements about data and data governance, documentation and record-keeping, transparency and provision of information to users, human oversight, robustness, accuracy, security and more.&nbsp; The purpose of the survey is targeted consultation to collect input from stakeholders on practical examples of AI systems and issues to be clarified in the Commission\u2019s guidelines.&nbsp;<\/p>\n\n\n\n<p><strong>Australia privacy updates: <\/strong>The Bird&amp;Bird legal blog explains that from 10 June 2025, Australia&#8217;s statutory tort for serious invasions of privacy comes into force. Passed by Parliament last year as part of a privacy reform, it introduces several causes that could trigger a legal action and remedies: a) invasion of privacy, b) reasonable expectation of privacy, c) fault element, d) seriousness, and e)&nbsp; public interest balancing. Read more details on who will be exempt from these rules in the <a href=\"https:\/\/www.twobirds.com\/en\/insights\/2025\/australia\/4-things-to-know-about-australia's-new-statutory-tort-of-privacy\">original publication<\/a>.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Pixel tracking<\/strong><\/h4>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:30% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfTeub7FonlWUk6vcACoQNHOMD6OyQsoYFZXjMpc8KlU2CDQD92iPuDGpYnJE7JogTa_WGB2I2-c6dq1wEGubHLgNX_UXU234MQYdka2XMdkFyMHykBFuPoifp_bq_Yo1l56Zy1Ag?key=ImSrWQgdUnnHkwO7rWgkIA\" alt=\"GDPR role\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p>The French regulator CNIL opened a public consultation on its draft recommendation (in French) on the use of tracking pixels in emails. The objective is to help the actors who use these trackers to better understand their obligations, particularly in terms of collecting user consent. Tracking pixels are an alternative tracking method to cookies. They take the form of an image of 1 pixel by 1 pixel, integrated into a website or an email, but invisible to the user. Loading this image, whose name contains a user ID, lets you know that the tracked user has visited a page or read an email. The <a href=\"https:\/\/www.cnil.fr\/fr\/webform-consultation-pixel-impact-economique\">consultation<\/a> will close on 24 July.<\/p>\n<\/div><\/div>\n\n\n\n<h4 class=\"wp-block-heading\">More from supervisory authorities<\/h4>\n\n\n\n<p><strong>Federated learning: <\/strong>The EDPS elaborated on the benefits and limitations of Federated Learning (FL) &#8211; an approach to Machine Learning (ML) by allowing multiple sources of data, (devices or entities), to train a shared model while keeping data decentralised collaboratively. From a personal data protection perspective, FL offers significant benefits by minimising personal data sharing, (data exchanged among the client devices and the resulting ML models can be treated as anonymous data), and purpose limitation. However, one of the primary concerns remains the potential for data leakage through model updates, as even without direct access to raw data, an attacker could infer sensitive information by analysing the gradients or weights shared between devices. Continue reading the <a href=\"https:\/\/www.edps.europa.eu\/data-protection\/our-work\/publications\/techdispatch\/2025-06-10-techdispatch-12025-federated-learning_en\">EDPS analysis here<\/a>.&nbsp;<\/p>\n\n\n\n<p><strong>Unintentional disclosure:<\/strong> The situations in which <a href=\"https:\/\/cpdp.bg\/%d1%81%d1%8a%d0%b2%d0%b5%d1%82%d0%b8-%d0%bf%d1%80%d0%b8-%d0%bd%d0%b5%d0%b2%d0%be%d0%bb%d0%bd%d0%be-%d0%b8%d0%bb%d0%b8-%d0%bd%d0%b5%d0%be%d0%b1%d0%bc%d0%b8%d1%81%d0%bb%d0%b5%d0%bd%d0%be-%d1%80%d0%b0\/\">personal data are unintentionally disclosed are increasingly occurring<\/a>, according to the Bulgarian regulator CPDP. The most common cases concern: a) unintentionally or thoughtlessly providing data in a phone conversation or electronic communication with services &#8211; brokerage and investment services, marketing research etc, b) lost documents containing personal information, including copies of IDs, c) incorrectly provided documents to service providers, d) responding to misleading messages through phishing, smishing, and vishing. If you have inadvertently disclosed your personal information in the situations described above:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Save all messages, emails, phone numbers, documents and other relevant evidence.&nbsp;<\/li>\n\n\n\n<li>If you have sent information to the wrong address, immediately contact the actual recipient or the one to whom you intended to send the message to inform them and seek any assistance.<\/li>\n\n\n\n<li>If you have managed to establish contact with the actual recipient, request to exercise your right to erasure.&nbsp;<\/li>\n\n\n\n<li>Change passwords and enable two-factor authentication wherever possible.&nbsp;<\/li>\n\n\n\n<li>Monitor your bank accounts, social media accounts, and other online platforms.&nbsp;<\/li>\n\n\n\n<li>Tell your family, friends, colleagues so that they can take preventive precautions, etc.&nbsp;<\/li>\n<\/ul>\n\n\n<div id=\"newslettersignup\"><\/div>\n<div id=\"role-block_fe32b73cbc24bc167ba01085fc8755db\" class=\"text-t-black bg-t-pink p-6 md:p-12 rounded-tr-50 rounded-bl-50 mb-4 lg:mb-12 text-center role\">\n  \n      <h2 class=\"text-xl lg:text-2xl max-w-screen-lg mx-auto text-t-black font-display mb-4\">\n      Receive our digest by email    <\/h2>\n        <h3 class=\"text-base max-w-screen-lg mx-auto text-t-black font-body mb-4\">Sign up to receive our digest by email every 2 weeks<\/h3>\n  \n  <div id=\"rmOrganism\">\n    <div class=\"rmEmbed rmLayout--vertical rmBase\">\n      <div data-page-type=\"formSubscribe\" class=\"rmBase__body rmSubscription\">\n                  <form method=\"post\" action=\"https:\/\/mailing.techgdpr.com\/145\/6351\/5e9fc3cdda\/subscribe\/form.html?_g=1698845230\" class=\"rmBase__content\">\n                  <div class=\"rmBase__container mx-auto max-w-screen-sm\">          \n            <div class=\"rmBase__section\">\n              <div class=\"text-left rmBase__el rmBase__el--input rmBase__el--label-pos-none\" data-field=\"email\">\n                <label for=\"email\" class=\"rmBase__compLabel rmBase__compLabel--hideable hidden\">\n                  Email address\n                <\/label>\n                <div class=\"rmBase__compContainer mb-2\">\n                  <input type=\"text\" name=\"email\" id=\"email\" placeholder=\"Email\" value=\"\" class=\"p-4 border rounded border-gray-400 w-full rmBase__comp--input comp__input\">\n                  <div class=\"rmBase__compError text-left font-display font-bold text-xs\"><\/div>\n                <\/div>\n              <\/div>\n            <\/div>\n            <div class=\"rmBase__section mb-4\">\n              <div class=\"rmBase__el rmBase__el--consent\" data-field=\"consent_text\">\n                <div class=\"rmBase__comp--checkbox\">\n                  <label for=\"consent_text\" class=\"flex space-x-2 items-baseline text-left vFormCheckbox comp__checkbox\">\n                    <input type=\"checkbox\" value=\"yes\" name=\"consent_text\" id=\"consent_text\" class=\"vFormCheckbox__input\">\n                    <div class=\"vFormCheckbox__indicator hidden\"><\/div>\n                    <div class=\"vFormCheckbox__label\">\n                                              I consent to the processing of my data, and to receiving regular updates from TechGDPR. Data is processed according to our <a href=\"https:\/\/techgdpr.com\/privacy-policy\/\"> Privacy Notice<\/a>.\r\n                                          <\/div>\n                  <\/label>\n                <\/div>\n                <div class=\"rmBase__compError text-left font-display font-bold text-xs\"><\/div>\n              <\/div>\n            <\/div>\n            <div class=\"rmBase__section\">\n              <div class=\"rmBase__el rmBase__el--cta\">\n                <button type=\"submit\" class=\"inline-flex items-center justify-center px-8 py-3 text-white visited:text-white font-bodybold rounded-md bg-t-navy border-3 border-t-navy hover:border-t-navy hover:bg-transparent hover:text-t-navy transition-all hover:text-white cursor-pointer rmBase__comp--cta\">\n                  Subscribe\n                <\/button>\n              <\/div>\n            <\/div>\n          <\/div>\n        <\/form>\n      <\/div>\n      <div data-page-type=\"pageSubscribeSuccess\" class=\"rmBase__body rmSubscription hidden\">\n        <div class=\"rmBase__content\">\n          <div class=\"rmBase__container\">\n            <div class=\"rmBase__section\">\n              <div class=\"rmBase__el rmBase__el--heading\">\n                <div class=\"rmBase__comp--heading\">\n                  Thank you for your subscription!\n      <!-- this linebreak is important, don't remove it! this will force trailing linebreaks to be displayed -->\n                  <br>\n                <\/div>\n              <\/div>\n            <\/div>\n            <div class=\"rmBase__section\">\n              <div class=\"rmBase__el rmBase__el--text\">\n                <div class=\"rmBase__comp--text\">\n                  We have sent you an email &#8211; please confirm your email address by clicking the activation link in it.\n      <!-- this linebreak is important, don't remove it! this will force trailing linebreaks to be displayed -->\n                  <br>\n                <\/div>\n              <\/div>\n            <\/div>\n          <\/div>\n        <\/div>\n      <\/div>\n    <\/div>\n  <\/div>\n\n      <script src=\"https:\/\/mailing.techgdpr.com\/form\/145\/6069\/8a53c9178b\/embedded.js\" async><\/script>\n  \n<\/div>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Vodafone <\/strong>multimillion fines<\/h4>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:30% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdGxuTk_ieZB0l3jAR9iYhorVVWfAQUFgaAroVK02lXsizOvCSJm4WczmaOMdgob84N-hmjkSLXX1waKMWMa25Xnk6Aaz1ZjLc-G9m3WzxQSX3NvV3eKydMor7MoD1kW37BMHi6?key=ImSrWQgdUnnHkwO7rWgkIA\" alt=\"\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p>The German federal data protection authority BfDI issued <a href=\"https:\/\/www.bfdi.bund.de\/SharedDocs\/Pressemitteilungen\/DE\/2025\/06_Geldbu%C3%9Fe-Vodafone.html\">fines totalling 45 mln euros as well as a reprimand imposed on Vodafone<\/a>. The company uses different distribution channels, including local shops, some of which are operated by partner agencies. Investigations found <a href=\"https:\/\/www.edpb.europa.eu\/news\/national-news\/2025\/german-federal-sa-administrative-fines-amount-eu15-000-000-and-eu30-000-000_en\">privacy-related weaknesses in the processes to supervise and audit the processors as well as weaknesses in the IT systems<\/a> leading to the risk of customer data being misused for fraud. Such risks actually materialised in some cases.<\/p>\n<\/div><\/div>\n\n\n\n<p>Furthermore, Vodafone offers an online service portal for its customers. When used in combination with the company\u2019s hotline, investigations found weaknesses in the authentication process for the customer accounts that could lead to misuse of eSIMs, etc.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Spotify and Vinted fines upheld<\/strong><\/h4>\n\n\n\n<p>In Sweden, an appeal court upheld the approx. 5.2 mln euro fine imposed on Spotify AB for noncompliance with the GDPR. The company must therefore pay a penalty fee. Spotify <a href=\"https:\/\/www.domstol.se\/nyheter\/2025\/06\/spotify-ab-ska-betala-en-sanktionsavgift\/\">did not provide in a clear and easily accessible manner the information<\/a> necessary for the data subject to be able to exercise their rights. It also failed to provide information about storage periods and criteria for determining these, and did not provide sufficient information about appropriate safeguards when transferring personal data to a third country or an international organisation.&nbsp;<\/p>\n\n\n\n<p>Similarly, the Regional Administrative <a href=\"https:\/\/vdai.lrv.lt\/lt\/naujienos\/teismas-atmete-uab-vinted-skunda-del-vdai-sprendimu\/\">Court in Lithuania rejected the complaint of UAB Vinted regarding decisions taken by the State Data Protection Inspectorate<\/a> VDAI. The court found that all the examined factual circumstances and legal norms were assessed properly, and the regulator acted in accordance with the law and the limits of its competence. Last year, the <a href=\"https:\/\/vdai.lrv.lt\/lt\/naujienos\/internetine-devetu-drabuziu-prekybos-ir-mainu-platforma-valdanciai-bendrovei-skirta-bauda-pagal-bendraji-duomenu-apsaugos-reglamenta\/\">VDAI fined the company 2.3 mln euros<\/a> for GDPR violations:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>improper processing of requests from personal data subjects to delete their data and insufficient and unclear information provided;<\/li>\n\n\n\n<li>improper implementation of the accountability principle;<\/li>\n\n\n\n<li>processing of personal data through so-called shadow blocking, which was carried out without a clear and lawful basis.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">In other news<\/h4>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:30% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfw2WZkcKkmwBdqR9PRS3pPTAovUfg51ik5_pQtIohnTMwievnAIjpHe3dpTg56mYhJBTudkucp04YSwIJEU0JYXkMdwPruh8FJQ3ebfeyPwOEKMXOi5BShnHfhYfqc4JseSiaJ?key=ImSrWQgdUnnHkwO7rWgkIA\" alt=\"\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p><strong>Pixels tracking fine:<\/strong> The Norwegian regulator has audited six websites&#8217; use of tracking pixels. All of them <a href=\"https:\/\/www.datatilsynet.no\/aktuelt\/aktuelle-nyheter-2025\/ulovlig-deling-av-personopplysninger-gjennom-sporingspiksler-hos-seks-nettsteder\/\">shared visitors&#8217; personal data with third parties without any legal basis<\/a>, (eg, visitors were &#8220;duped&#8221; into consent), and in several of the cases, the data was sensitive. These websites were &#8211; online pharmacy, services for vulnerable children, medical services, information about various diseases, conditions and diagnoses, and a website that sells bibles. The information included which websites people visited, what actions they took, or what they added to their shopping cart. <\/p>\n<\/div><\/div>\n\n\n\n<p>The regulator also found violations of the duty to provide information. In one of the cases, it imposed a fine of approx. 22,000 euros.&nbsp;<\/p>\n\n\n\n<p><strong>Online pharmacy user tracking fine:<\/strong> Finland\u2019s data protection agency meanwhile issued a 1,100,000 euro fine against the pharmacy company Yliopiston Apteekki because of data protection shortcomings, also related to the use of tracking services. The regulator started investigating the practices of the company after a doctoral researcher from the University of Turku contacted them. Using network traffic analysis, the researcher found data protection deficiencies in Finnish online pharmacies as part of research focused on the functioning of health-related online services.<\/p>\n\n\n\n<p>Yliopiston Apteekki had used cookies and other tracking technologies for its online pharmacy in a manner that transmitted data on <a href=\"https:\/\/tietosuoja.fi\/en\/-\/yliopiston-apteekki-fined-for-online-shop-data-protection-shortcomings\">users\u2019 interactions with the shop related to prescription medicines and over-the-counter medicines directly to Google and Meta<\/a>, among others. For example, the tracking service providers received data on when a customer added a product to their basket and clicked the purchase button. The transmitted data also included users\u2019 IP addresses and other identifying data. If a user was logged in to their Google or Facebook account when they used the online pharmacy, Google and Meta could have directly identified them.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>23andMe bankruptcy case<\/strong><\/h4>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:30% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcl72supTH9vwDkWU8vOzzSHe-bLk46Vy8RpNhCM5qM6MlRmamrihT-JP7PeDTdw-VsrDFuusO7zTQ0B50HpeSuIcF8458_e53o98s3JntLREn4Hurmu3Tik57HD_ZOzIPsQTY4Pw?key=ImSrWQgdUnnHkwO7rWgkIA\" alt=\"\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p>23andMe\u2019s customers should be given the <a href=\"https:\/\/www.vitallaw.com\/news\/23andme-should-obtain-consent-from-each-customer-for-data-sale-court-advised\/cspd013f2b399e5c414e93b796726de068cd89\">opportunity to consent to the sale of their personal data to whoever buys the company\u2019s assets<\/a>, a consumer privacy ombudsman has told the bankruptcy court handling 23andMe\u2019s case, VitalLaw law blog reports. An alternative safeguard would be for the consent request to come from the winning bidder. The question of what happens to 23andMe\u2019s data upon sale has attracted significant interest from privacy advocates, lawyers and politicians, with US congressional hearings and calls for legislation to protect genetic data. You can view the whole 211-page ombudsman report into 23andMe&#8217;s planned sale of customers&#8217; personally identifiable information <a href=\"https:\/\/business.cch.com\/CybersecurityPrivacy\/23andmeombudsmanreport.pdf\">here<\/a>.&nbsp;<\/p>\n<\/div><\/div>\n\n\n\n<h4 class=\"wp-block-heading\">In case you missed it&nbsp;<\/h4>\n\n\n\n<p><strong>Diversity at work: <\/strong>In a context of <a href=\"https:\/\/www.cnil.fr\/fr\/recommandation-mesure-diversite-travail\">increased awareness of the fight against discrimination<\/a>, more organisations want to measure the diversity within their workforce. Diversity measurement surveys distributed by employers to their employees collect personal, sometimes sensitive, data, explains the French CNIL, and must be accompanied by guarantees, in accordance with the GDPR. These surveys must remain optional, and employees or agents must be properly informed and their rights respected. The CNIL also recommends favouring anonymous surveys and limiting the data collected with closed-ended questions. Further advice for employers (in French) can be read <a href=\"https:\/\/www.cnil.fr\/sites\/cnil\/files\/2025-06\/recommandation_mesure_de_la_diversite_au_travail.pdf\">here<\/a>.&nbsp;<\/p>\n\n\n\n<p><strong>AI assistants industry: <\/strong>Building AI assistants that fit into our daily lives is a top priority for the AI sector. Privacy International says that companies in this field need to respond to concerns about how they will secure our data. The fact that AI tools need a lot of processing power to perform some tasks is perhaps too much for a personal device. Thus, <a href=\"https:\/\/privacyinternational.org\/news-analysis\/5591\/are-ai-assistants-built-us-or-exploit-us-and-other-questions-ai-industry\">cloud-enabled synchronisation<\/a> is how the corporations address that problem. Once the data leaves the device, businesses could use it to train their systems, and they might grant access to your data to their employees and service providers. These surpass what a consumer may reasonably expect. Therefore, AI firms must inform users about:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>How do I have granular control over access to sensors, data and apps?<\/li>\n\n\n\n<li>How can I easily access settings to retract consent?<\/li>\n\n\n\n<li>Where is the clear information on what data is used to respond to a query?<\/li>\n\n\n\n<li>How can I access and delete any data accessed and used by the Assistant?<\/li>\n<\/ul>\n\n\n\n<p>According to PI, this is why it is crucial that users insist that their data be <a href=\"https:\/\/privacyinternational.org\/news-analysis\/5591\/are-ai-assistants-built-us-or-exploit-us-and-other-questions-ai-industry\">processed on their devices as much as possible and used only for specific and limited reasons<\/a>.&nbsp;&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>GDPR role, how to determine? The French privacy regulator CNIL reviews the criteria and practical consequences of determining the GDPR role of data controllers and processors. The qualification does not always depend on a contractual choice but on the facts: who decides what, and who executes what, concerning personal data. The controller is the natural [&hellip;]<\/p>\n","protected":false},"author":21,"featured_media":10743,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[94,88],"tags":[51,129,256,257,58,79],"class_list":["post-10741","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-protection-digest","category-gdpr","tag-artificial-intelligence","tag-consumer-data-protection","tag-data-controllers","tag-data-processors","tag-gdpr-compliance","tag-international-transfers"],"acf":[],"featured_image_urls":{"full":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280.jpg",1280,854,false],"thumbnail":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280-150x150.jpg",150,150,true],"medium":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280-300x200.jpg",300,200,true],"medium_large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280-768x512.jpg",640,427,true],"large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280-1024x683.jpg",640,427,true],"1536x1536":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280.jpg",1280,854,false],"2048x2048":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280.jpg",1280,854,false],"image-200-200":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280-200x200.jpg",200,200,true]},"post_excerpt_stackable":"<p>GDPR role, how to determine? The French privacy regulator CNIL reviews the criteria and practical consequences of determining the GDPR role of data controllers and processors. The qualification does not always depend on a contractual choice but on the facts: who decides what, and who executes what, concerning personal data. The controller is the natural or legal person who determines both the purposes and the means of the processing, the &#8220;why&#8221; and &#8220;how&#8221; of the use of personal data, ensures compliance with the GDPR, but does not necessarily have actual access to the data: The essential means: what personal data&hellip;<\/p>\n","category_list":"<a href=\"https:\/\/techgdpr.com\/blog\/category\/data-protection-digest\/\" rel=\"category tag\">Data Protection Digest<\/a>, <a href=\"https:\/\/techgdpr.com\/blog\/category\/gdpr\/\" rel=\"category tag\">GDPR<\/a>","author_info":{"name":"Olya Vasylyk","url":"https:\/\/techgdpr.com\/blog\/author\/olyav\/"},"comments_num":"0 comments","featured_image_urls_v2":{"full":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280.jpg",1280,854,false],"thumbnail":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280-150x150.jpg",150,150,true],"medium":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280-300x200.jpg",300,200,true],"medium_large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280-768x512.jpg",640,427,true],"large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280-1024x683.jpg",640,427,true],"1536x1536":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280.jpg",1280,854,false],"2048x2048":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280.jpg",1280,854,false],"image-200-200":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280-200x200.jpg",200,200,true]},"post_excerpt_stackable_v2":"<p>GDPR role, how to determine? The French privacy regulator CNIL reviews the criteria and practical consequences of determining the GDPR role of data controllers and processors. The qualification does not always depend on a contractual choice but on the facts: who decides what, and who executes what, concerning personal data. The controller is the natural or legal person who determines both the purposes and the means of the processing, the &#8220;why&#8221; and &#8220;how&#8221; of the use of personal data, ensures compliance with the GDPR, but does not necessarily have actual access to the data: The essential means: what personal data&hellip;<\/p>\n","category_list_v2":"<a href=\"https:\/\/techgdpr.com\/blog\/category\/data-protection-digest\/\" rel=\"category tag\">Data Protection Digest<\/a>, <a href=\"https:\/\/techgdpr.com\/blog\/category\/gdpr\/\" rel=\"category tag\">GDPR<\/a>","author_info_v2":{"name":"Olya Vasylyk","url":"https:\/\/techgdpr.com\/blog\/author\/olyav\/"},"comments_num_v2":"0 comments","yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Data protection digest\u00a02-16 June 2025: Data controller, processor, how to properly identify your GDPR role - TechGDPR<\/title>\n<meta name=\"description\" content=\"TechGDPR\u2019s review of the most important data-related stories: Data controller, processor, how to properly identify your GDPR role\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/techgdpr.com\/blog\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Data protection digest\u00a02-16 June 2025: Data controller, processor, how to properly identify your GDPR role - TechGDPR\" \/>\n<meta property=\"og:description\" content=\"TechGDPR\u2019s review of the most important data-related stories: Data controller, processor, how to properly identify your GDPR role\" \/>\n<meta property=\"og:url\" content=\"https:\/\/techgdpr.com\/blog\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\/\" \/>\n<meta property=\"og:site_name\" content=\"TechGDPR\" \/>\n<meta property=\"article:published_time\" content=\"2025-06-17T08:23:42+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-07-08T11:55:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"854\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Olya Vasylyk\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@techgdpr\" \/>\n<meta name=\"twitter:site\" content=\"@techgdpr\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Olya Vasylyk\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\\\/\"},\"author\":{\"name\":\"Olya Vasylyk\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/person\\\/07e9c14fd01b25bd2c1907537e8547e8\"},\"headline\":\"Data protection digest\u00a02-16 June 2025: Data controller, processor, how to properly identify your GDPR role\",\"datePublished\":\"2025-06-17T08:23:42+00:00\",\"dateModified\":\"2025-07-08T11:55:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\\\/\"},\"wordCount\":2226,\"publisher\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/laptop-3233780_1280.jpg\",\"keywords\":[\"Artificial Intelligence\",\"consumer data protection\",\"data controllers\",\"data processors\",\"GDPR Compliance\",\"International transfers\"],\"articleSection\":[\"Data Protection Digest\",\"GDPR\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\\\/\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\\\/\",\"name\":\"Data protection digest\u00a02-16 June 2025: Data controller, processor, how to properly identify your GDPR role - TechGDPR\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/laptop-3233780_1280.jpg\",\"datePublished\":\"2025-06-17T08:23:42+00:00\",\"dateModified\":\"2025-07-08T11:55:44+00:00\",\"description\":\"TechGDPR\u2019s review of the most important data-related stories: Data controller, processor, how to properly identify your GDPR role\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\\\/#primaryimage\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/laptop-3233780_1280.jpg\",\"contentUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/laptop-3233780_1280.jpg\",\"width\":1280,\"height\":854,\"caption\":\"GDPR role\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/techgdpr.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Data protection digest\u00a02-16 June 2025: Data controller, processor, how to properly identify your GDPR role\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#website\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/\",\"name\":\"TechGDPR\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/techgdpr.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\",\"name\":\"TechGDPR\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/staging.techgdpr.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/TGDPR_logo_500px.png\",\"contentUrl\":\"https:\\\/\\\/staging.techgdpr.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/TGDPR_logo_500px.png\",\"width\":501,\"height\":334,\"caption\":\"TechGDPR\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/techgdpr\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/techgdpr\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/person\\\/07e9c14fd01b25bd2c1907537e8547e8\",\"name\":\"Olya Vasylyk\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/readyIMG_3694-1-2-150x150.jpg\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/readyIMG_3694-1-2-150x150.jpg\",\"contentUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/readyIMG_3694-1-2-150x150.jpg\",\"caption\":\"Olya Vasylyk\"},\"description\":\"Creator and editor of TechGDPR\u2019s weekly Digest. Postgraduate masters Diploma in Data Protection, Digital law and Management. Over a decade Olga previously was a broadcast journalist in Ukraine and France specializing in international affairs.\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/author\\\/olyav\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Data protection digest\u00a02-16 June 2025: Data controller, processor, how to properly identify your GDPR role - TechGDPR","description":"TechGDPR\u2019s review of the most important data-related stories: Data controller, processor, how to properly identify your GDPR role","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/techgdpr.com\/blog\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\/","og_locale":"en_US","og_type":"article","og_title":"Data protection digest\u00a02-16 June 2025: Data controller, processor, how to properly identify your GDPR role - TechGDPR","og_description":"TechGDPR\u2019s review of the most important data-related stories: Data controller, processor, how to properly identify your GDPR role","og_url":"https:\/\/techgdpr.com\/blog\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\/","og_site_name":"TechGDPR","article_published_time":"2025-06-17T08:23:42+00:00","article_modified_time":"2025-07-08T11:55:44+00:00","og_image":[{"width":1280,"height":854,"url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280.jpg","type":"image\/jpeg"}],"author":"Olya Vasylyk","twitter_card":"summary_large_image","twitter_creator":"@techgdpr","twitter_site":"@techgdpr","twitter_misc":{"Written by":"Olya Vasylyk","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\/#article","isPartOf":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\/"},"author":{"name":"Olya Vasylyk","@id":"https:\/\/techgdpr.com\/#\/schema\/person\/07e9c14fd01b25bd2c1907537e8547e8"},"headline":"Data protection digest\u00a02-16 June 2025: Data controller, processor, how to properly identify your GDPR role","datePublished":"2025-06-17T08:23:42+00:00","dateModified":"2025-07-08T11:55:44+00:00","mainEntityOfPage":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\/"},"wordCount":2226,"publisher":{"@id":"https:\/\/techgdpr.com\/#organization"},"image":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\/#primaryimage"},"thumbnailUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280.jpg","keywords":["Artificial Intelligence","consumer data protection","data controllers","data processors","GDPR Compliance","International transfers"],"articleSection":["Data Protection Digest","GDPR"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\/","url":"https:\/\/techgdpr.com\/blog\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\/","name":"Data protection digest\u00a02-16 June 2025: Data controller, processor, how to properly identify your GDPR role - TechGDPR","isPartOf":{"@id":"https:\/\/techgdpr.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\/#primaryimage"},"image":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\/#primaryimage"},"thumbnailUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280.jpg","datePublished":"2025-06-17T08:23:42+00:00","dateModified":"2025-07-08T11:55:44+00:00","description":"TechGDPR\u2019s review of the most important data-related stories: Data controller, processor, how to properly identify your GDPR role","breadcrumb":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/techgdpr.com\/blog\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\/#primaryimage","url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280.jpg","contentUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/06\/laptop-3233780_1280.jpg","width":1280,"height":854,"caption":"GDPR role"},{"@type":"BreadcrumbList","@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-16062025-data-controller-processor-how-to-properly-identify-your-gdpr-role\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/techgdpr.com\/"},{"@type":"ListItem","position":2,"name":"Data protection digest\u00a02-16 June 2025: Data controller, processor, how to properly identify your GDPR role"}]},{"@type":"WebSite","@id":"https:\/\/techgdpr.com\/#website","url":"https:\/\/techgdpr.com\/","name":"TechGDPR","description":"","publisher":{"@id":"https:\/\/techgdpr.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/techgdpr.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/techgdpr.com\/#organization","name":"TechGDPR","url":"https:\/\/techgdpr.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/#\/schema\/logo\/image\/","url":"https:\/\/staging.techgdpr.com\/wp-content\/uploads\/2018\/04\/TGDPR_logo_500px.png","contentUrl":"https:\/\/staging.techgdpr.com\/wp-content\/uploads\/2018\/04\/TGDPR_logo_500px.png","width":501,"height":334,"caption":"TechGDPR"},"image":{"@id":"https:\/\/techgdpr.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/techgdpr","https:\/\/www.linkedin.com\/company\/techgdpr"]},{"@type":"Person","@id":"https:\/\/techgdpr.com\/#\/schema\/person\/07e9c14fd01b25bd2c1907537e8547e8","name":"Olya Vasylyk","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/wp-content\/uploads\/2021\/10\/readyIMG_3694-1-2-150x150.jpg","url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2021\/10\/readyIMG_3694-1-2-150x150.jpg","contentUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2021\/10\/readyIMG_3694-1-2-150x150.jpg","caption":"Olya Vasylyk"},"description":"Creator and editor of TechGDPR\u2019s weekly Digest. Postgraduate masters Diploma in Data Protection, Digital law and Management. Over a decade Olga previously was a broadcast journalist in Ukraine and France specializing in international affairs.","url":"https:\/\/techgdpr.com\/blog\/author\/olyav\/"}]}},"_links":{"self":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/10741","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/comments?post=10741"}],"version-history":[{"count":12,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/10741\/revisions"}],"predecessor-version":[{"id":10890,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/10741\/revisions\/10890"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/media\/10743"}],"wp:attachment":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/media?parent=10741"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/categories?post=10741"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/tags?post=10741"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}