Data protection roles, rights and obligations

July 17, 2020

data protection
Share0
Tweet0
Pin0

EU data protection law identified four roles in data protection, each with their own obligations and rights under the GDPR. These include the controller, the processor, the data subject and the supervisory authority.

The controller

The controller is the person, legal entity, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Generally, the role of the controller is derived from the organisation’s functional relation with the individual. 

That is, a business is the controller for the customer data it processes in relation to its sales, and an employer is the controller for the employee data they process in connection with the employment relationship. In some cases, the role of the controller is derived from the law or official tasks of the organisation. 

For example, a tax authority is the controller for the processing of citizen’s financial data in connection with taxation. Last but not least, the role of controller can be derived from the factual influence of an organisation over the data processing. For example, somebody who steals personal data is considered the controller for the stolen data (and lacks sufficient legal basis for the processing, making the processing illegal). A similar argument can be made for an organisation’s headquarters, which requires its affiliates to process their data by using a specific cloud application. 

The controller is required to meet the obligations of the GDPR, including:

  • the requirement to have a sufficient legal basis for the processing of personal data (for example, consent, a contract, a legal obligation or a legitimate interest which overrides the data subject’s fundamental rights, freedoms and interests);
  • the requirement to collect personal data only for specified, explicit and legitimate purposes (purpose limitation);
  • to limit the processing and retention of personal data to said purposes (data minimisation);
  • to use the data only for secondary purposes which are compatible with the purpose for which the data were collected (use limitation);
  • to ensure that the data are accurate, up-to-date and relevant (data quality),
  • to take adequate measures to protect the data (security);
  • to ensure that the personal data are processed in accordance with the principles of data
  • protection by design and data protection by default;
  • to inform the supervisory authorities and the data subject of a data breach;
  • to demonstrate compliance with the GDPR (documentation); and
  • to prevent personal data from being transferred to recipients in countries which do not provide an adequate level of protection compared to the GDPR (data export restrictions).

The controller is accountable for the processing of personal data and liable for any damage resulting from a violation of the GDPR rules. Where a controller processes personal data jointly with another controller, they could be jointly and severally liable towards the individual. 

The processor

The processor is the person, legal entity, public authority, agency or any other body which processes personal data on behalf of the controller (for example, a service provider). Typical processors are IT service providers (including hosting providers) and payroll administrators. 

The processor is required to process the personal data in accordance with the controller’s instructions, and take adequate measures to protect the personal data. The processor may not use the personal data for its own purposes. 

The processor must process the personal data in accordance with the principles of data protection by design and data protection by default, inform the controller of a data breach, demonstrate compliance with the GDPR by keeping up-to- date documentation about the processing, and prevent the personal data from being transferred to recipients in countries that do not provide an adequate level of protection. The controller is required to close a processor agreement with the processor detailing the processor’s obligations.

Ready?

Ask us anything about HR, Health & Safety or Employment Law. With over 60 years experience we promise to help. 

 Make an Enquiry

The processor is liable for any damage resulting from not meeting its obligations under the regulation or acting contrary to the controller’s lawful instructions. This includes liability for data breaches caused by the processor. It should be noted that the controller is liable for the damage caused by the processor, so controllers should do proper due diligence before engaging processors, supervise their processing of the personal data, and conduct regular audits and compliance checks to verify the processor’s compliance with the regulation. 

The data subject is an identified individual or an individual who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other individual or legal entity.

The GDPR extends specific rights to data subjects regarding the use of their personal data, such as

  • the right to be informed about the data processing
  • the right to consent to the processing of their personal data (opt-in) or object to the processing of their personal data (opt-out)
  • the right to obtain their personal data in a structured and commonly used format in order to transfer those data, in certain circumstances, to another controller (data portability)
  • the right not to be subjected to fully automated data processing or profiling
  • the right to ask the controller whether personal data are processed about their
  • the right to know which data are processed (right of access)
  • the right to correct where the data are incorrect
  • the right to complete the personal data where the personal data are insufficient in relation to the purposes for which they are processed
  • the right to have the data erased under certain circumstances for example, where the retention period has lapsed or where consent for the processing has been withdrawn (right to be forgotten).

Furthermore, the data subject has the right to register a complaint with the supervisory authority and receive compensation for damages incurred as a result of non- compliance by the controller or processor.

The supervisory authority (Data Protection Authority or DPA) is the public authority that supervises and enforces the GDPR on the territory of its Member State. Each DPA has broad enforcement powers, including the power to issues fines of 20 million euro or 4% of global turnover, whichever is higher, in cases where the data subject’s rights have been infringed and 10 million euro or 2% of global turnover, whichever is higher, in cases where data controllers or processors have not met the obligations of the regulation, and the power to conduct investigations and deal with complaints. 

Controllers must notify the relevant DPA(s) of data breaches and certain types of processing, such as some international data transfers, require a DPA’s authorisation.

Ask Us Anything About HR, Employment Law or Health & Safety