Psychiatric research traditionally relies on subjective observation, which is time-consuming and labor-intensive. The widespread use of digital devices, such as smartphones and wearables, enables the collection and use of vast amounts of user-generated data as “digital biomarkers.” These tools may also support increased participation of psychiatric patients in research and, as a result, the production of research results that are meaningful to them. However, sharing mental health data and research results may expose patients to discrimination and stigma risks, thus discouraging participation. To earn and maintain participants' trust, the first essential requirement is to implement an appropriate data governance system with a clear and transparent allocation of data protection duties and responsibilities among the actors involved in the process. These include sponsors, investigators, operators of digital tools, as well as healthcare service providers and biobanks/databanks. While previous works have proposed practical solutions to this end, there is a lack of consideration of positive data protection law issues in the extant literature. To start filling this gap, this paper discusses the GDPR legal qualifications of controller, processor, and joint controllers in the complex ecosystem unfolded by the integration of digital biomarkers in psychiatric research, considering their implications and proposing some general practical recommendations.