The GDPR primarily contains obligations for the controller to fulfil when processing personal data.
In many provisions, however, the GDPR also refers to the rights and freedoms of "natural persons". On closer examination, it becomes clear that this must also mean the controller:
As the definition in Art. 4 No. 7 GDPR shows, controllers can be natural or legal persons, public authorities, agencies or other bodies. Thus, "natural persons" can of course also be "controllers". When the GDPR speaks of "rights and freedoms of natural persons", this can therefore also mean the rights and freedoms of those natural persons who process personal data and who are responsible for this.
This is also mandatory under fundamental rights, because in the relationship between private individuals controllers are also entitled to fundamental rights and their data processing is protected under fundamental rights. Example: The researcher who processes health data makes use of his or her freedom of science. Most recently, this has also been confirmed by the German Federal Constitutional Court:
The right to informational self-determination "stands in contrast to the freedom [of the person responsible] to pick up information himself, to process it and to use it according to his own, also changing purposes" [Order of 6.11.2019 - 1 BvR 16/13 -, para. 87].
This multidimensionality of data processing under fundamental rights is only inadequately covered by the GDPR as a whole. Among the rights and freedoms of natural persons that the GDPR seeks to protect, the fundamental rights of the controller are hardly explicitly taken into account. Listed below are the 12 provisions in articles and 24 provisions in recitals of the GDPR that refer to the rights and freedoms of "natural persons" (i.e. also to the rights and freedoms of "controllers"):
Articles: 1 I/II, 24 I, 25 I, 27 II a, 32 I, 33 I, 34 I, 35 I, 51 I, 57 I c and 70 I h GDPR.
Recitals: 2 (1), 3, 9 (1), 10 (1)/(2), 53 (3), 54 (2), 74 (3), 75, 77 (2), 78 (1), 80 (1), 84 (1), 85 (2), 86 (1), 89 (3), 94 (1)/(5), 98 (2), 113 (2), 116 (1), 154 (6), 166 (1) and 173 (1) GDPR.
The GDPR does not explicitly state which "rights and freedoms" are meant [see Tiles R]. Which "rights and freedoms" are protected is therefore highly controversial and unclear. The fact that the "rights and freedoms" of the controller are also protected by fundamental rights and must therefore also be protected by the GDPR is often neglected in the discussion on data protection law. In order to interpret the term "rights and freedoms", it may be necessary to refer directly to the fundamental rights of the Charter of Fundamental Rights.