The data controller occupies the normative, governance and operational centre of gravity within the GDPR for every processing of personal data. This is not a merely formal classification, but concerns the party that directs the processing, determines the purposes, selects the essential means, and bears responsibility for the lawfulness, proportionality, transparency and controllability of the entire data-processing operation. Where personal data are processed within digital chains, platform environments, cloud structures, client portals, internal registers, marketing databases, compliance systems or fraud-prevention processes, the question of who acts as data controller is directly connected to the question of who is accountable at governance level for the design, execution and control of that processing. The classification as data controller therefore affects not only data protection obligations, but also governance, risk management, contracting, auditability, supervisory relationships, reputation protection and strategic digital integrity management. An organisation that determines the purposes and means of processing cannot confine itself to procedural compliance or standard documentation; it must be able to explain why personal data are processed, why that processing is necessary, how the chosen method relates to the rights of data subjects, and which safeguards have been implemented to prevent misuse, excessive processing, ambiguity and loss of control.
Within Integrated Digital Crime Risk Management, controllership assumes an even broader significance, because personal data are often processed not only for ordinary business operations, but also for risk assessment, client acceptance, transaction monitoring, fraud investigations, internal reporting, incident analysis, sanctions screening, cybersecurity detection, dispute handling and governance decision-making. Such processing activities sit at the intersection of compliance, security, integrity, privacy and digital resilience. This creates a heightened need to define the role of the data controller precisely and to assume it substantively. Digital Crime Risks cannot be managed effectively where it remains unclear who determines the purposes, who decides on the use of systems, who is responsible for the proportionality of data processing, who informs data subjects and who is accountable in the event of complaints, supervisory inquiries or incidents. Controllership therefore operates as a legal and governance anchor: it determines where responsibility begins, how that responsibility must be organised internally, and how it must be capable of being justified externally.
Determining the Purposes and Means of Processing
The core of controllership lies in determining the purposes and means of processing. The data controller decides why personal data are processed and within which functional, organisational and technical parameters that processing takes place. This means that the assessment does not focus solely on who has factual access to data or who manages a system, but primarily on who exercises decisive influence over the purpose of the processing and the essential choices concerning the manner in which that processing is carried out. The questions why data are collected, how they are used, which categories of data are necessary, which data subjects are affected, how long the data are retained and with whom they are shared belong to the very heart of the controller role. An organisation that makes these choices cannot hide behind executing parties, technology suppliers or internal departments that merely perform elements of the process. Legal responsibility follows substantive control.
In digital environments, this assessment often becomes more complex because data processing takes place through multiple systems, departments and external service providers. A commercial department may formulate the purpose of customer profiling, an IT department may determine the technical configuration, a compliance department may feed risk models, and an external provider may operate the platform on which the processing actually takes place. Nevertheless, the central question remains who makes the decisive choices concerning the why and the how of the processing. Where an organisation determines that personal data will be used for customer segmentation, fraud detection, transaction monitoring or risk classification, that organisation will generally be the data controller for that processing, even where an external party performs the technical execution. The mere outsourcing of operational acts does not alter the legal position where control over the purposes and means remains with the instructing party.
Within Integrated Digital Crime Risk Management, this classification is particularly important because many processing operations are justified by reference to security, integrity or risk control, while they may have a significant impact on the private life of data subjects. Examples include recording signals of unusual conduct, combining data from different sources, assessing clients on the basis of risk profiles or analysing digital traces after an incident. In such situations, the data controller must determine in advance which purpose is being pursued, which data are necessary, which analytical methods are acceptable and which limits apply to further use. Without clear purpose determination, there is a risk that data collected for one integrity-related purpose will later be used for broader commercial, disciplinary or investigative purposes without an adequate legal basis or sufficient transparency. Determining the purposes and means is therefore not a technical starting question, but a fundamental governance decision.
Bearing Primary GDPR Responsibility
The data controller bears primary responsibility for compliance with the GDPR. That responsibility encompasses not only compliance with individual obligations, but also the ability to demonstrate that the processing as a whole has been designed lawfully, fairly, transparently and controllably. Accountability requires the data controller not to attempt retrospectively to reconstruct why certain data were processed, but to establish in advance a defensible position on legal basis, purpose limitation, necessity, proportionality, security, retention periods, data subject rights and internal decision-making. This is a matter of demonstrable responsibility: what matters is not only the intention to act carefully, but the presence of concrete measures, clear documentation, governance involvement and effective control mechanisms.
This primary responsibility has far-reaching consequences for the internal organisation. The data controller must ensure that data protection obligations do not become fragmented across legal departments, IT teams, compliance functions, commercial units and external suppliers without clear ultimate responsibility. Where personal data are processed, it must be clear which function is responsible for the lawfulness assessment, who oversees execution, who safeguards data quality, who handles requests from data subjects, who monitors retention periods and who makes decisions in the event of incidents or supervisory inquiries. The GDPR does not require responsibility on paper only, but a functioning system of direction and accountability in which the legal position of the controller is translated in practice into procedures, authorities, controls and reporting lines.
In the context of Integrated Digital Crime Risk Management, this primary responsibility takes on heightened significance because integrity and crime risks often give rise to intensive data processing. Fraud signals, internal reports, forensic analyses, sanctions checks, access logs, communications data and client files may contain sensitive information and may have significant consequences for data subjects. The data controller must therefore be able not only to explain that processing was necessary for risk management, but also to demonstrate that the chosen processing was proportionate, carefully limited and capable of being verified. Digital Crime Risks must not become a licence for unrestricted data collection or opaque decision-making. The primary responsibility of the controller consists in ensuring that risk management and legal protection are safeguarded simultaneously.
Selecting a Valid Legal Basis for Processing
For every processing of personal data, the data controller must be able to rely on a valid legal basis. That legal basis forms the legal gateway to the processing and largely determines which conditions, limitations and accountability obligations apply. Consent, performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a task carried out in the public interest and legitimate interests each have their own scope and evidentiary burden. The data controller must therefore do more than merely name a legal basis; it must be able to explain why that basis fits the specific purpose, the nature of the data, the position of the data subject and the context in which the processing takes place. A general reference to business interest, security or compliance is insufficient where it is not clear which specific processing activity is supported by that basis.
The choice of legal basis requires a substantive assessment in advance. In the case of consent, it must be established whether consent has been freely given, specific, informed and unambiguous, and whether withdrawal can be given practical effect. In the case of contract, it must be assessed whether the processing is necessary for performance of the contract, and not merely useful or commercially desirable. In the case of a legal obligation, the statutory basis must be sufficiently concrete. In the case of legitimate interests, a balancing exercise must take place in which the organisation’s interest is weighed against the rights and freedoms of data subjects. That assessment must be serious, specific and capable of being verified. Particularly in processing activities for security, fraud prevention, internal investigations or monitoring, legitimate interests may be relevant, but this does not remove the need to substantiate necessity, proportionality, subsidiarity and transparency carefully.
Within Integrated Digital Crime Risk Management, the choice of legal basis is often one of the most sensitive elements of controller responsibility. Processing activities connected with Digital Crime Risks may be legitimate and necessary, but they often concern data relating to behaviour, communications, transactions, location, access, identity or suspicions of irregularities. The data controller must therefore prevent crime control from being used as a generic justification for broad data processing. Every processing activity must be linked back to a concrete purpose and an appropriate legal basis. This applies, for example, to phishing investigations, detection of unusual login patterns, analysis of malware incidents, investigation of internal data breaches or assessment of client fraud risks. A defensible legal basis exists only where it is clear why the processing is necessary, why less intrusive means are insufficient, and which safeguards exist against misuse or improper expansion.
Informing Data Subjects
Transparency is a core obligation of the data controller. Data subjects must be informed in a clear, intelligible and accessible manner about the processing of their personal data. This includes, among other things, the identity of the data controller, the purposes of the processing, the applicable legal bases, the categories of personal data, the recipients or categories of recipients, retention periods, the rights of data subjects, any transfers outside the European Economic Area and relevant information about automated decision-making. This information obligation is not intended as a formal textual requirement, but as an instrument enabling data subjects to gain genuine insight into what happens to their data and what options they have to exercise control.
The quality of transparency is not determined by the length of privacy documentation, but by the extent to which the information is understandable, concrete and usable. Generic wording, broad purpose descriptions, unclear categories of recipients or vague retention periods undermine the function of the information obligation. A data subject must be able to understand which data are processed, why that occurs and what consequences it may have. This requires the data controller to align privacy notices, internal notices, cookie information, client communications and process information with the processing that actually takes place. Where external information does not correspond with internal practice, a serious governance problem arises: the organisation then says something different from what it does. Transparency is therefore not only a communications issue, but also a test of internal control.
In the domain of Integrated Digital Crime Risk Management, transparency may create tension because certain processing activities relate to security, detection, investigation or the prevention of misuse. Not every operational measure can be disclosed in detail without undermining the effectiveness of security or investigations. That does not, however, remove the data controller’s obligation to provide clear information about categories of processing, purposes, legal bases, rights and safeguards. In relation to monitoring, fraud prevention, access control, risk classification or incident investigations, the balance between transparency and effectiveness must be considered in advance. Digital Crime Control loses legitimacy where data subjects are left entirely in the dark about structural forms of data processing that may affect them. The controller must therefore apply a transparency framework that is clear without unnecessarily weakening operational security.
Safeguarding the Rights of Data Subjects
The data controller must ensure that data subjects can effectively exercise their GDPR rights. The rights of access, rectification, erasure, restriction of processing, data portability, objection and protection against solely automated decision-making form the practical core of data protection. These rights are effective only where the organisation is able to locate, understand, assess and respond adequately to personal data within the statutory time limits. A formal channel for requests is insufficient where there is no underlying overview of systems, files, data flows, retention periods, responsible functions and grounds for exceptions. The controller must therefore organise the exercise of rights as an integrated process, not as an ad hoc response to individual requests.
Handling data subject requests requires legal precision and operational discipline. In the case of an access request, it must be clear which personal data are processed, what the purposes are, to whom the data have been disclosed and for how long they are retained. In the case of rectification, it must be assessed whether data are factually inaccurate, incomplete or misleading. In the case of erasure, it must be determined whether further storage remains necessary or whether statutory retention obligations, legal claims or overriding interests justify continued retention. In the case of objection, a concrete balancing exercise must take place. The data controller must avoid rejecting requests routinely with general references to business interests, security or administrative complexity. Every decision must be specific, understandable and defensible.
Within Integrated Digital Crime Risk Management, the rights of data subjects are particularly sensitive because data processing often takes place in contexts where interests collide. A data subject may request access to data connected with fraud prevention, internal reports, security logs, incident investigations, access registrations or risk assessments. Full disclosure may sometimes affect the rights of third parties, investigative interests or security measures, but any restriction of rights must always be legally reasoned and applied proportionately. The controller must be able to distinguish between data that can be provided, passages that must be redacted and information that may be temporarily or partially restricted on the basis of overriding interests. Digital Crime Risks make this assessment more complex, but they do not release the data controller from the obligation to handle rights seriously, carefully and in a verifiable manner.
Overseeing Appropriate Security Measures
The data controller bears responsibility for ensuring that personal data are protected by appropriate technical and organisational measures. That obligation extends well beyond the mere existence of security policies, password rules or general IT controls. Its core lies in the question whether the measures adopted genuinely correspond to the nature of the personal data, the sensitivity of the processing, the scale of the datasets involved, the vulnerability of the data subjects, the technology used, the threats present in the digital environment and the possible consequences of loss, unauthorised access, manipulation or unlawful processing. Security is therefore not a separate technical domain standing alongside privacy, but an essential component of the lawfulness and reliability of processing. A data controller that processes personal data without appropriate security undermines not only confidentiality and integrity, but also the legitimacy of the processing as a whole.
Within Integrated Digital Crime Risk Management, this security obligation has a direct relationship with Digital Crime Risks. Phishing, ransomware, malware, credential theft, social engineering, insider misuse, data theft, unauthorised access, supply-chain compromise and manipulation of digital environments may result in personal data being exposed, altered, destroyed or used for further criminal conduct. The data controller must therefore not merely respond to incidents, but assess in advance which threats are relevant to the specific processing and which measures are necessary to reduce those threats. Such measures may include access management, logging, encryption, network segmentation, backup policies, vulnerability management, supplier control, authorisation models, monitoring, awareness, incident response procedures and periodic testing. The decisive question is always whether the measure exists not only on paper, but demonstrably functions within the actual digital operation.
The governance dimension of security deserves particular emphasis. The data controller cannot fully delegate security to IT, external suppliers or security specialists while retaining no responsibility for risk choices, priorities, budgets, governance and control. Where personal data are processed in critical business processes, client environments, compliance systems or forensic investigation contexts, security must be embedded in decision-making concerning the design, procurement, implementation, use, monitoring and termination of systems. An organisation that takes Integrated Digital Crime Risk Management seriously does not treat security as an afterthought, but as a condition for digital integrity. The data controller must be able to demonstrate that security measures are based on risk analysis, are periodically evaluated, correspond to current threats and are adjusted where technology, the threat landscape or the processing context changes.
Selecting and Directing Data Processors
Where a data controller engages a data processor, the primary responsibility for the processing remains with the controller. Outsourcing technical or operational activities does not mean that legal responsibility for lawfulness, transparency, security, data subject rights and accountability is transferred. The controller must therefore carefully assess whether a processor provides sufficient guarantees in relation to expertise, security, reliability, continuity, sub-processor management, data location, incident response and compliance with instructions. That assessment may not be limited to commercial suitability, price, functionality or market reputation. The central question is whether the processor is capable of carrying out the processing within the legal, technical and organisational framework required by the GDPR.
This responsibility begins before the contract is concluded and continues throughout the entire cooperation. The data controller must give clear instructions on which personal data may be processed, for which purposes, under which security conditions, with which retention periods, which sub-processors may be used, how data breaches must be reported, how requests from data subjects must be supported and what must happen upon termination of the services. The data processing agreement must not be a standard annex detached from the real service provision, but an operationally useful instrument that reflects the actual data flows, systems, roles and risks. Where contractual arrangements remain abstract, the risk arises that the processor in practice takes more latitude than is legally permitted, or that the controller has insufficient control over processing, security and incident response.
Within Integrated Digital Crime Risk Management, directing processors is particularly important because Digital Crime Risks often arise within chains. Cloud providers, software suppliers, managed service providers, marketing platforms, payment processors, investigation firms, IT administrators and data platforms may have access to large volumes of personal data or critical digital infrastructure. A vulnerability at a processor may therefore lead directly to data breaches, business disruption, reputational damage and supervisory questions for the controller. The data controller must therefore not rely solely on certifications or contractual guarantees, but must also periodically test whether the processor in fact acts in accordance with instructions and maintains appropriate measures. Supplier management thereby becomes part of Digital Crime Control: the chain is only as strong as the weakest link that processes, manages or can technically access personal data.
Maintaining Documentation and Accountability
Accountability is a foundational principle of controllership. The data controller must not only comply with the GDPR, but must also be able to demonstrate that it complies with the GDPR. This requires a carefully structured documentation practice in which processing activities, purposes, legal bases, categories of personal data, recipients, retention periods, security measures, risk assessments, DPIAs, processor relationships, transfers, incidents and decision-making processes are recorded in a verifiable manner. Documentation does not serve a merely administrative function. It constitutes evidence of governance control, legal reasoning and operational command. Without sufficient documentation, compliance becomes vulnerable, because it cannot later be demonstrated why certain choices were made, which risks were assessed and which safeguards were implemented.
An effective accountability framework requires documentation to be current, coherent and factually accurate. Many organisations have registers, policies and templates, but lose the connection between documentation and practice when processes change, new systems are introduced, suppliers are replaced, data flows expand or new purposes of use emerge. The data controller must therefore ensure that the record of processing activities is not a static document, but a governance instrument that moves with the digital operation. Risk analyses, DPIAs, balancing assessments, retention schedules and privacy notices must also be reviewed where the processing changes. Accountability requires discipline in version control, recording decisions, internal ownership and periodic review.
Within Integrated Digital Crime Risk Management, documentation is of heightened importance because processing for integrity, security and crime control purposes is often intensive, sensitive and context-dependent. In fraud detection, internal investigations, sanctions screening, cyber incident analysis, access monitoring or forensic data collection, it must be clear which data were processed, why that was necessary, who had access, which limitations applied, how long the data are retained and which assessments were made between risk management and the rights of data subjects. Digital Crime Risks often involve pressure, urgency and uncertainty, but those circumstances do not make documentation less important. On the contrary: where supervision, complaints, civil proceedings or criminal-law questions arise, the quality of the file is often decisive for the defensibility of the controller’s conduct.
Reporting and Managing Data Breaches
The data controller must identify, assess, manage and, where necessary, report data breaches to the supervisory authority and inform data subjects in a timely manner. A data breach is not limited to large-scale data theft or public disclosure of data. Loss of a device, transmission to the wrong recipient, unauthorised access, ransomware encryption, accidental publication, an internal authorisation error, a misconfigured cloud environment or manipulation of personal data may also constitute a data breach. The data controller must therefore have a process through which incidents are rapidly identified, factually investigated, legally assessed and operationally followed up. Statutory notification periods require speed, but speed must not come at the expense of careful analysis and clear decision-making.
The assessment of a data breach requires a concrete risk analysis. The data controller must determine which personal data have been affected, how many data subjects are involved, which categories of data are concerned, whether data have been viewed, copied, altered or destroyed, which security measures were in place, what consequences may arise and which mitigating actions have been taken. It must also be assessed whether notification to the supervisory authority is required and whether data subjects must be directly informed because there is likely to be a high risk to their rights and freedoms. A deficient assessment may lead to late notification, unjustified non-notification or inadequate communication with data subjects. The controller must therefore organise not only incident response, but also a legal decision-making structure in which privacy, security, governance, communications and any external expertise are involved at the right moment.
Within Integrated Digital Crime Risk Management, data breach management is directly connected to Digital Crime Control. Many data breaches do not arise from administrative mistakes, but from targeted digital attacks, account misuse, malware, phishing, ransomware, insider conduct or supplier compromise. In such cases, the data controller must not only comply with notification obligations, but also understand the attack vector, limit further damage, preserve evidence, restore affected systems, align communications and prevent recurrence. Data breach management is therefore not an isolated privacy procedure, but an integrated component of incident response, cybersecurity, legal control and reputation management. The controller must be able to demonstrate not only that notification took place, but that the incident was understood at governance level, followed up technically and structurally used to strengthen security and governance.
Integrating Privacy into Governance and Decision-Making
The responsibility of the data controller reaches its full significance when privacy is integrated into governance and decision-making. Data protection cannot function effectively as a separate compliance layer that is consulted only after systems have been purchased, processes have been designed or commercial choices have been made. The GDPR requires privacy to be taken into account from the earliest stages of policy, product development, supplier selection, process design, data use, risk assessment and governance decision-making. This means that the controller must ensure clear roles, decision rights, escalation lines, reporting, review moments and governance attention for data protection. Privacy must be visible in the way the organisation makes choices, not only in the documents that are drafted afterwards.
This integration requires a governance model in which legal, technical, operational and strategic considerations are connected. New digital products, data-driven marketing, AI applications, client screening, fraud prevention, cloud migrations, cooperation with third parties and international data flows must be assessed in advance in relation to legal basis, proportionality, data minimisation, transparency, security, retention periods, data subject rights and supervisory readiness. The data controller must prevent privacy from being reduced to consent texts, cookie banners or standard clauses. The real question is whether the organisation is capable of processing personal data only where there is a clear necessity, a valid legal basis, a limited purpose and an appropriate safeguard. Governance makes that assessment structural, repeatable and enforceable at governance level.
Within Integrated Digital Crime Risk Management, privacy integration is indispensable because Digital Crime Risks, data protection, cybersecurity, compliance and governance responsibility constantly intersect. An organisation that seeks to manage crime risks requires data for detection, analysis, monitoring and response, but must at the same time prevent risk management from resulting in disproportionate surveillance, unclear profiling, excessive retention or opaque decision-making. The data controller must therefore establish a balance between protection of the organisation, protection of data subjects and protection of the integrity of digital processes. Privacy in governance means that this tension is not resolved incidentally or on an ad hoc basis, but is structurally embedded in strategy, policy, system choices, risk reporting and governance accountability. In that way, controllership becomes a core function of responsible digital organisation.
