33. OUTLINE – Over the following chapters, the basic regulatory scheme of EU data protection law will be analysed with specific emphasis on the role of the controller and processor concepts. After describing its scope of application and basic protections, a detailed analysis will be made of how EU data protection law allocates responsibility and liability among actors involved in the processing of personal data. First, the key elements of the concepts of controller and processor shall be elaborated. Next, the relationship between controllers, co-controllers and processors will be discussed, followed by an analysis of the liability exposure of each actor. Finally, a number of specific issues relevant to the practical application of the controller and processor concepts shall be discussed.

34. METHODOLOGY – The analysis over the following chapters is based in first instance on the text of both the GDPR and Directive 95/46, their preparatory works, the case law of the CJEU, as well as the guidance issued by the Article 29 Working Party and European Data Protection Board. In certain places, however, the analysis is supplemented by insights offered by the preparatory works which accompanied national implementations of Directive 95/46. This approach is based on the assumption that national deliberations on the topic of how Directive 95/46 should be implemented into national law can yield additional insights as to how policymakers understood the provisions of Directive 95/46 at the time of its enactment. Finally, as regards the liability exposure of controllers and processors, reference shall also be made to the Principles of European Tort Law (PETL) as well as national Belgian tort law. The reason for doing so is that EU data protection law does not exhaustively harmonise the liability exposure of controllers and processors. By incorporating these supplemental sources into the analysis, however, it is possible to complement the analysis of the GDPR and Directive 95/46 with a number of important elements.