In order to vindicate data subjects’ rights, the GDPR defines two new roles for organisations Data Controllers and Data Processors.
This post will outline the roles and obligations for both under the GDPR.
Controller or processor
Controllers are those who determine the purposes and means of processing personal data. Processors are those engaged in processing personal data on behalf of controllers.
To decide of an organisation or part of an organisation is a “controller” or “processor“, the key is who determines the purposes and means of data processing. Where purposes is “the why question” and means refers to “the how question”.
It is the controller who decides both on why personal data should be collected and how collected personal data should be processed. In the case where there are two or more controllers involved, they are termed joint controllers. Under the GDPR joint controllers means that they incur joint liability.
The party who implements these decisions is the processor. They follow instructions given by controllers and cannot make decisions on the choice of purposes and means in data processing.
For data controllers, (joint or otherwise) one of the most important things to know about GDPR obligations is that controllers need to be able to demonstrate that they have implemented appropriate technical and organisational measures in processing operations.
First of all, to demonstrate legal compliance is in itself a GDPR obligation. It is not for the supervisory authority to find fault with an organisation’s data processing, it is actually for the organisation to prove that it is complaint. The key concept of the GDPR which controllers need to accept is the controllers need to be able to show that their processing activities are in line with the data processing principles determined by the GDPR. The accountability principle in Article 5 (2) means that controllers are responsible for and should be able to demonstrate their compliance with the GDPR data processing principles listed in Article 5 (1).
These obligations which Controllers must adhere to may include:
- To maintain records of all processing activities (Article 30);
- To cooperate and consult with supervisory authorities (Article 31);
- To ensure a level of security (Article 32);
- To notify the supervisory authorities in the event of a data breach (Article 33);
- To conduct a data protection impact assessment (Article 35);
- To appoint a data protection officer (Article 37);
- Specific obligations as regards transfer of data outside the EU (Chapter V);
- To assist data subjects with exercising their rights to privacy and data protection (Chapter III).
- The GDPR furthermore requires that controllers implement appropriate procedural and technical measures to protect personal data. They need to be able to show that they have taken concrete measures within their capacity to meet their obligations Article 24.
But how do controllers show that they have taken appropriate measures and that processing activities are in line with the GDPR? This requires clear evidence, for example:
- Documentation of comprehensive privacy policies;
- The appointment of a data protection officer and representatives;
- Adopting and following codes of conduct or Binding Corporate Rules;
- Keeping records of all data processing activities.
- This evidence needs to demonstrate that concrete steps have been taken to comply with the GDPR provisions in order to meet their obligations.
The other major party “Data Processors” have a slightly different set of obligations from those outlined above.
Article 28 GDPR determines that obligations of processors in particular include:
- To comply with the GDPR data processing principles and to protect the rights and freedoms of data subjects;
- To demonstrate compliance with the GDPR;
- To maintain records of processing activities and make them available upon request by supervisory authorities;
- To appoint data protection officers or representatives;
- To cooperate with supervisory authorities in the performance of their tasks;
- To ensure a level of security by taking appropriate technical and organisational measures;
Article 28 (3) lists detailed requirements to ensure legal compliance by the processor such as:
- Act on documented instructions from the controller;
- Ensure confidentiality, assist with legal compliance of the controller, respond to requests from data subjects;
- Make available all information necessary to demonstrate compliance of the controller;
- Take measures to assist the controller with ensuring security of processing;
- Treat personal data after processing at the choice of the controller.