Have you ever considered the discussion on responsibilities and liabilities in the field of the European data protection law as a journey? You should. Brendan Van Alsenoy is inviting you take a trip through the whole history of data protection law in Europe and around the world, as well as through current practice to better understand the roles of different actors in what is a fiendishly complicated environment. You will find him to be a guide who effortlessly offers fresh perspectives on the subject: a relatively young scholar leveraging a surprisingly extensive and intensive practical experience in a national data protection authority as well as playing a key role in the Working Party Article 29 / European Data Protection Board.

This is a guide to the places that you know and new ones you never thought exist. At times it may explain concepts that you heard about dozens of times before. But Van Alsenoy's explanations are slightly different to the others. He is able to filter his academic knowledge through the lens of the regulatory authorities and their current disputes with other institutional and business players around the world.

One of the first problems the author addresses is the binary concepts of controller and processor. Is this division as clear-cut as when it was first postulated decades ago in European law, or it is rather a case that control is now distributed and should be regulated and applied accordingly? Has the concept of controller evolved to the degree that the explanations proposed in ‘80s and ’90s are no longer useful? How does this model work in practice?

One may say that these are the questions posed over and over again. Be that as it may, this book will nonetheless give you a valuable historical background. It offers use cases illustrating how to understand and interpret the system which the GDPR has inherited from previous European legislation. What will be the effect of different forms of joint controllership on the level of responsibility of each of the players?

It is sometimes surprisingly difficult to distinguish the joint controllership of the GDPR from the exchanges between individual controllers who co-operate with each other using shared resources for different purposes or using different means.