My question is very specific about how to determine who is a 'data controller'.
I have a project where some entities only receive questionnaires (containing personal data) from people who participate and then send them to other entities for evaluation. At first I had considered them 'data controllers', but since they only receive the questionnaires, without being able to see their content, nor do they dictate the reason for their processing or how it is done, I am not sure if I should consider them as such.
The definition of the data controller as it is presented in Article 4 GDPR – Definitions – is the following: “natural or legal person, […] which, alone or jointly with others, determines the purposes and means of the processing of personal data”. European Data Protection Board in its Guidelines 07/2020 on the concepts of controller and processor in the GDPR states the following related to the “determines” building block in the definition: << A controller is a body that decides certain key elements about the processing. This controllership may be defined by law or may stem from an analysis of the factual elements or circumstances of the case. One should look at the specific processing operations in question and understand who determines them, by first considering the following questions: "why is this processing taking place?” and “who decided that the processing should take place for a particular purpose?”>>
So the questions you need to ask are “who designed the questionnaires”, “who benefits from the answers in the questionnaires”, “who decides what happens with the personal data in the questionnaires”, etc. If these entities have some degree of autonomy/ independence, then they are controllers or joint controllers. If they just provide forwarding service for other entities, then they should be considered processors.