Controller (TTPA context)
A controller is the person or organization that decides the purposes and means of processing personal data in the context of political advertising. Under the TTPA regulation and GDPR, the controller has primary responsibility for ensuring compliance with data protection rules when personal data is used for targeting or delivering political ads.
Legal Basis
"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
— Article 4(7), Regulation (EU) 2016/679 (GDPR), applicable in TTPA context
The TTPA regulation relies on the GDPR's definition of controller when addressing the use of targeting techniques and ad-delivery techniques based on personal data in political advertising.
Why It Matters
The controller role is critical in political advertising because it determines who bears legal responsibility for data protection compliance. When a political party, candidate, or campaign organization uses personal data to target voters with online ads, they typically act as the controller—even if they hire an agency or use a platform to deliver those ads.
This matters because controllers must ensure they have a valid legal basis for processing personal data (such as consent), implement appropriate security measures, and respect individuals' rights under GDPR. Complaints about misuse of personal data in political ad targeting go to data protection authorities, who will look to the controller for answers.
For online platforms and ad-tech providers, understanding whether they act as controllers or processors is essential. If a platform merely follows instructions from a political advertiser, it may be a processor. But if it makes its own decisions about how to use personal data for ad delivery, it may be a controller or joint controller, with corresponding obligations.
Key Points
- Decision-making power: The controller decides why and how personal data will be processed for political advertising purposes
- Primary accountability: Controllers bear the main legal responsibility for GDPR compliance when targeting techniques use personal data
- Consent requirements: Controllers must obtain valid consent or establish another lawful basis before processing personal data for political ad targeting
- Joint controllers: Multiple parties (e.g., a campaign and an agency) can be joint controllers if they jointly determine purposes and means
- Platform role: Platforms may act as controllers, processors, or joint controllers depending on their decision-making authority
- DPA enforcement: Data protection authorities direct complaints and enforcement actions primarily at controllers
Controller vs. Processor
A controller determines the "why" and "how" of data processing, while a processor acts on behalf of the controller following their instructions. In political advertising, a campaign that decides to target voters based on age and location is the controller. An ad agency that simply executes that targeting strategy as instructed is a processor.
The distinction matters for liability: controllers have direct obligations under GDPR, while processors have secondary obligations and must follow controller instructions. However, platforms that use their own algorithms to optimize ad delivery may cross the line from processor to controller or joint controller, sharing responsibility for compliance.
| Aspect | Controller | Processor |
|---|---|---|
| Decision authority | Decides purposes and means | Follows instructions |
| Legal obligations | Direct GDPR obligations | Secondary obligations |
| Example in political ads | Political party deciding targeting strategy | Agency executing campaign as directed |