Data protection regimes impose a wide range of obligations in respect of the processing of personal data. These obligations typically include, for example, the obligation to provide access to the personal data upon request, the obligation to ensure the accuracy of the personal data, and the obligation to secure the personal data from unauthorized access. Who should be made responsible for complying with these obligations? In simple cases where the processing of personal data involves only one entity and only one processing operation, it is usually clear that that entity ought to be made singly responsible …
Benjamin Wong, Problems with controller-based responsibility in EU data protection law, International Data Privacy Law, volume 11, issue 4, November 2021, pages 375-387, https://doi.org/10.1093/idpl/ipab014.