ABSTRACT
The purpose of this chapter is to analyze the existing legal definitions of (joint) controller and processor and their differing interpretation by the competent Data Protection Authorities and the Court of Justice of the EU. In addition, the chapter will examine three concrete examples of how responsibility for compliance with the GDPR is attributed in the context of health data processing, including by means of new digital technologies. In particular, the chapter will analyze the roles and responsibilities of the actors involved in case of 1) clinical trials, 2) health data processing within the global platforms, and 3) wearables at the workplace. In conclusion, some general observations will be made, emphasizing the need for greater legal certainty in defining the capacity of the data processing actors and advocating for a change in the Court’s approach in defining the scope of joint controllership from ‘single phase’ to ‘value chain’.
