There is a "relationship" between the data subject and the controller, which should be understood as a legal relationship. Art. 5 I a GDPR stipulates that personal data have to be processed in a certain way "in relation" to" the data subject:
"Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject."
Art. 6 IV b GDPR refers also explicitly to this "relationship":
"[...] the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller [...]"
Also Rec. 47 (1) GDPR emphasises the importance of the "relationship" between the controller and the data subject:
"[...] taking into consideration the reasonable expectations of data subjects based on their relationship with the controller."
Rec. 47 (2) GDPR further specifies a bit what can be meant by this "relationship":
"Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller."
The "relationship" data subject-controller varies from situation to situation. It can be bipartisan (a single controller and a single data subject), but it can also be multipartisan (one or more controllers and an unspecified number of data subjects). It can be a direct "relationship" (controller is directly accessible to data subjects; there is direct contact) or an indirect one mediated through other persons (several controllers, processors and/or sub-processors; joint controllers). There may also be no contact at all between the controller and the data subject (e.g. when processing publicly available data).
The data subject-controller "relationship" is subject to the principles of lawfulness, fairness and transparency, according to Art. 5 I a. It is thus also linked to other fundamental notions of the GDPR:
Nature of processing
The data subject-controller "relationship" depends on the nature of processing [Tile BC.05], which can be relatively simple or highly complex.
Reasonable expectations of the data subject
A certain objectivity is required when assessing the legal relationship between data subject and controller. Rec. 47 (1) and 50 (6) express that an examination of the reasonable expectations of the data subject must be carried out [Tile BC.03]. This examination is in addition to the many balancing decisions of the GDPR [Tile BD.01].
Although Rec. 47 (1) and 50 (6) are systematically linked to Art. 6 I f and 6 IV b respectively, the examination of reasonable expectations of the data subject is not limited to these two provisions. Indeed, the "relationship" between the data subject and the controller is closely linked to the context of the processing. The context is a relevant factor in many of the requirements of the GDPR [Tile BC.07]. It is the context that determines the true nature of the "relationship" between the parties.
The context of the processing is furthermore related to the scope of the processing [Tile BC.06] and is consequently also relevant to the risk associated with the processing [Tile BC.02]. As the level of risk helps to determine which technical and organisational measures the controller has to take according to e.g. Art. 24, 25 and 32, it depends on what can be expected from a certain type of controller.
What is reasonable in terms of the cost of implementing technical and organisational measures is partly determined by the type and level of organisation of the controller. The expectations of the data subject must reasonably be different for a global corporation than for a small or medium-sized enterprise or for a self-employed person. The reasonable expectations of the data subject thus also vary with the objective performance of the controller [Tile BC.03].
According to Art. 6 IV b, the "relationship" between the data subject and the controller is a criterion to be taken into account when considering whether an intended secondary processing is compatible with the original purpose of the processing [Tile BD.04]. The context in which the data originally were collected and the 'relationship' between the data subject and the controller are important balancing criteria in the compatibility assessment. Other criteria are clearly related to the data subject-controller "relationship". Art. 6 IV c refers to the nature of the processing [Tile BC.05], especially when it comes to the processing of sensitive data. Art. 6 IV d refers to the possible consequences of the intended further processing for the data subject, whereby the risks for the data subject have to be acknowleged [Tile BC.02]. This assessment in turn depends on the Schutzgüter of the GDPR on behalf of the data subject [Tiles B]. The compatibility test thus requires that the controller has a clear idea of what constitutes its "relationship" with the data subject in relation to the data subject's Schutzgüter.