An important factor in setting up internal and external processes is knowing what duties and responsibilities a specific entity has in a given situation to ensure compliance with the European GDPR. This regulation will help you understand the position of the entity and its rights and obligations regarding the collection, storage, and processing of personal data.
Who is the controller?
The role of the personal data controller under previous legislation has played, and continues to play, a key role in the processing of personal data. The controller is responsible for ensuring that personal data is processed lawfully and correctly.
The controller is:
- any person who, alone or jointly with others, determines the purposes for which personal data are processed, determines the conditions for their processing and processes personal data on their own behalf and systematically (only the controller may process the aforementioned personal data on their own behalf),
- anyone who meets the conditions laid down in the law, as well as anyone to whom this provision applies directly under a specific law (e.g. a bank),
- the person responsible for taking appropriate technical and security measures to ensure and be able to demonstrate that processing is carried out in accordance with the GDPR.
It is important to note that a person who processes personal data for their own purposes in the course of their personal activities or processes personal data that they have obtained by chance is not considered a controller.
Who is a processor?
One of the obligations of the controller is to ensure the quality and reliability of entities that will have access to the processed data. There are situations in which the controller entrusts the processing of data to a so-called external party, e.g. an external accountant. However, an intermediary is not necessarily an external accountant who has access to personal data on the basis of accounting documents. A cloud service operator may also become an intermediary, even though they may not have access to the data, but this data is stored on their hardware using their software applications. In this case, the data controller allows these entities to process the data provided to them, e.g., employee data. However, they must specify exactly what data will be processed, for what purpose, and by whom. This puts them in the position of a personal data intermediary.
An intermediary is:
- a person authorized by the controller who processes personal data on behalf of the controller (this processing is governed by a contract or other legal act under Union or Member State law)
- a person who ensures that persons authorized to process personal data undertake to maintain the confidentiality of the information
- a person who assists the controller to the greatest extent possible with appropriate technical and organizational measures in fulfilling their obligations,
- the person who implements the required measures and complies with the conditions set out in the relevant articles of the GDPR.
Although each of the above entities has its own defined "tasks" under the GDPR, both bear a high degree of responsibility and assume the risk of a personal data breach that may affect the rights and freedoms of data subjects. However, the distribution of tasks between the controller and the processor is not always straightforward. This is also addressed by the GDPR, which establishes a framework and tasks in the event that problems arise. A common example where the determination and allocation of tasks is crucial is a data breach (e.g., loss, leakage, etc.). In such a case, the companies affected by the breach must ensure that everyone in their specific position acts in accordance with their responsibilities.
One important aspect of the relationship between the controller and the processor is the so-called processor agreement.
What is a processor agreement?
It is essential to ensure that there is a clear and specific agreement on data processing (a so-called processing agreement) before personal data is transferred to a third party. Simply put, it is a written division of powers and responsibilities between entities. The intermediary contract must contain the necessary details, namely:
- the subject matter and duration of the processing of personal data,
- the nature and purpose of the processing,
- the type of personal data,
- the categories of data subjects,
- the rights and obligations of the controller.
The General Data Protection Regulation provides a solid foundation for ensuring supervision of the controller throughout the entire period of personal data processing. Therefore, there should never be a situation where the controller is unaware of who, where, or how the personal data of its clients, employees, patients, etc. is being processed.
