Data controllers

The definition of the data controller as it is presented in Article 4 GDPR – Definitions – is the following: “natural or legal person, […] which, alone or jointly with others, determines the purposes and means of the processing of personal data”. European Data Protection Board in its Guidelines 07/2020 on the concepts of controller and processor in the GDPR states the following related to the “determines” building block in the definition: << A controller is a body that decides certain key elements about the processing. This controllership may be defined by law or may stem from an analysis of the factual elements or circumstances of the case. One should look at the specific processing operations in question and understand who determines them, by first considering the following questions: "why is this processing taking place?” and “who decided that the processing should take place for a particular purpose?”>>

So the questions you need to ask are “who designed the questionnaires”, “who benefits from the answers in the questionnaires”, “who decides what happens with the personal data in the questionnaires”, etc. If these entities have some degree of autonomy/ independence, then they are controllers or joint controllers. If they just provide forwarding service for other entities, then they should be considered processors.

Please also consult these links:

• Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
• EU GDPR controller vs. processor – What are the differences? : https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/
• EU GDPR Data Protection Officer Course: https://advisera.com/training/eu-gdpr-data-protection-officer-course/
• Guidelines 07/2020 on the concepts of controller and processor in the GDPR: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en