EDPB has taken the position that a data subject cannot be considered a controller or processor, and the restrictions on cross-border data transfers that apply to controllers and processors do not apply to data subjects. Companies subject to the GDPR.