Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Paragraph 2.1.1 “Natural or legal person, public authority, agency or other body”
17. The first building block relates to the type of entity that can be a controller. Under the GDPR, a controller can be “a natural or legal person, public authority, agency or other body”. This means that, in principle, there is no limitation as to the type of entity that may assume the role of a controller. It might be an organisation, but it might also be an individual or a group of individuals. In practice, however, it is usually the organisation as such, and not an individual within the organisation (such as the CEO, an employee or a member of the board), that acts as a controller with in the meaning of the GDPR. As far as data processing within a company group is concerned, special attention must be paid to the question of whether an establishment acts as a controlleror processor, e.g. when processing data on behalf of the parent company.
18. Sometimes, companies and public bodies appoint a specific person responsible for the implementation of the processing operations. Even if a specific natural person is appointed to ensure compliance with data protection rules, this person will not be the controller but will act on behalf of the legal entity (company or public body) which will be ultimately responsible in case of infringement of the rules in its capacity as controller.