EU data protection law identified four roles in data protection, each with their own obligations and rights under the GDPR. These include the controller, the processor, the data subject and the supervisory authority.
The controller is the person, legal entity, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Generally, the role of the controller is derived from the organisation’s functional relation with the individual.
That is, a business is the controller for the customer data it processes in relation to its sales, and an employer is the controller for the employee data they process in connection with the employment relationship. In some cases, the role of the controller is derived from the law or official tasks of the organisation.
For example, a tax authority is the controller for the processing of citizen’s financial data in connection with taxation. Last but not least, the role of controller can be derived from the factual influence of an organisation over the data processing. For example, somebody who steals personal data is considered the controller for the stolen data (and lacks sufficient legal basis for the processing, making the processing illegal). A similar argument can be made for an organisation’s headquarters, which requires its affiliates to process their data by using a specific cloud application.
The controller is required to meet the obligations of the GDPR, including:
The controller is accountable for the processing of personal data and liable for any damage resulting from a violation of the GDPR rules. Where a controller processes personal data jointly with another controller, they could be jointly and severally liable towards the individual.
The processor is the person, legal entity, public authority, agency or any other body which processes personal data on behalf of the controller (for example, a service provider). Typical processors are IT service providers (including hosting providers) and payroll administrators.
The processor is required to process the personal data in accordance with the controller’s instructions, and take adequate measures to protect the personal data. The processor may not use the personal data for its own purposes.
The processor must process the personal data in accordance with the principles of data protection by design and data protection by default, inform the controller of a data breach, demonstrate compliance with the GDPR by keeping up-to- date documentation about the processing, and prevent the personal data from being transferred to recipients in countries that do not provide an adequate level of protection. The controller is required to close a processor agreement with the processor detailing the processor’s obligations.
Ask us anything about HR, Health & Safety or Employment Law. With over 60 years experience we promise to help.
The processor is liable for any damage resulting from not meeting its obligations under the regulation or acting contrary to the controller’s lawful instructions. This includes liability for data breaches caused by the processor. It should be noted that the controller is liable for the damage caused by the processor, so controllers should do proper due diligence before engaging processors, supervise their processing of the personal data, and conduct regular audits and compliance checks to verify the processor’s compliance with the regulation.
The data subject is an identified individual or an individual who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other individual or legal entity.
The GDPR extends specific rights to data subjects regarding the use of their personal data, such as
Furthermore, the data subject has the right to register a complaint with the supervisory authority and receive compensation for damages incurred as a result of non- compliance by the controller or processor.
The supervisory authority (Data Protection Authority or DPA) is the public authority that supervises and enforces the GDPR on the territory of its Member State. Each DPA has broad enforcement powers, including the power to issues fines of 20 million euro or 4% of global turnover, whichever is higher, in cases where the data subject’s rights have been infringed and 10 million euro or 2% of global turnover, whichever is higher, in cases where data controllers or processors have not met the obligations of the regulation, and the power to conduct investigations and deal with complaints.
Controllers must notify the relevant DPA(s) of data breaches and certain types of processing, such as some international data transfers, require a DPA’s authorisation.