As a response to inquiries from banks and postal operators, CPDP interpreted the legal figures „controller” and „processor” of personal data in the context of the provision of services. The position of CPDP expressed in several opinions is the following:
„1. Undertakings providing services subject to strict and comprehensive statutory regulation based on a license or analogous individual authorization from the State and under the control of explicitly designated public authorities can not in principle be considered as processors of personal data but as stand-alone controllers. Examples of such controllers are postal operators, banks and insurance companies.
2. Given the diversity of public relations and in accordance with the principle of accountability regulated in Art. 5 (2) of Regulation (EU) 2016/679, participants in commercial and civilian turnover should themselves determine on a case-by-case basis, what their legal relationships are with regard to the personal data they process – independent controllers, controller and processor or joint controllers. Their choice should not be formal and should ensure the highest degree of compliance with the requirements of Regulation (EU) 2016/679 and effective protection of the rights of data subjects.”