An important factor in setting up both internal and external processes is understanding the specific duties and responsibilities of a given entity in a particular situation, in order to ensure compliance with the European GDPR. This guide will help you understand the role of the data subject and their rights and obligations regarding the collection, storage, and processing of personal data.
Who is a data controller?
Under previous legislation, the role of the data controller played—and continues to play—a key role in the processing of personal data. The data controller thus serves as the entity responsible for ensuring that personal data is processed lawfully and fairly.
A controller is:
- anyone who, alone or jointly with others, determines the purposes of personal data processing, sets the conditions for such processing, and processes personal data on their own behalf and systematically (only a controller may process the aforementioned personal data on their own behalf),
- anyone who meets the conditions set forth in the law, as well as anyone for whom this provision arises directly from a specific law (e.g., a bank),
- the person responsible for implementing appropriate technical and security measures to ensure and be able to demonstrate that processing is carried out in accordance with the GDPR.
It is important to note that a person who processes personal data for their own needs as part of personal activities or processes personal data obtained incidentally does not hold the position of a controller.
Who is a processor?
One of the controller’s obligations is to ensure the quality and reliability of entities that will have access to the processed data. There are situations in which the controller entrusts data processing to a so-called external party, e.g., an external accountant. However, a processor need not be limited to an external accountant who has access to personal data based on accounting documents. A cloud service provider may also assume the role of a processor; while such a provider may not have direct access to the data, the data is stored on its hardware using its software applications. In this case, the data controller allows these entities to process the data provided to them, e.g., employee data. However, the controller must precisely specify what data, for what purpose, and in what manner the entities will process. They thus assume the role of a personal data processor.
A processor is:
- a person entrusted by the controller who processes personal data on behalf of the controller (such processing is governed by a contract or other legal act under Union or Member State law),
- a person who ensures that persons authorized to process personal data undertake to maintain the confidentiality of the information,
- a person who assists the controller to the greatest extent possible through appropriate technical and organizational measures in fulfilling its obligations,
- the one who implements the required measures and complies with the conditions set forth in the relevant articles of the GDPR.
Although each of the above-mentioned entities has “its own roles” defined under the GDPR, both bear a high degree of responsibility and assume the risk of a personal data breach that may affect the rights and freedoms of data subjects. However, the division of roles between the controller and the processor is not always straightforward. This is also where the GDPR comes into play, establishing a framework and roles in the event that issues arise. A common example where the identification and allocation of roles is crucial is a data breach (e.g., loss, leakage, etc.). In such a case, the companies affected by the breach must ensure that everyone, from their specific position, acts in accordance with their responsibilities.
One of the important aspects of the relationship between the controller and the processor is the so-called data processing agreement.
What is a data processing agreement?
It is essential to ensure that a clear and specific agreement on data processing (the so-called data processing agreement) is in place before the processing of personal data is entrusted to a third party. Simply put, it is a written division of powers and responsibilities between the parties. The data processing agreement must contain the necessary details, specifically:
- the subject matter and duration of personal data processing,
- the nature and purpose of processing,
- the type of personal data,
- the categories of data subjects,
- the rights and obligations of the controller.
The General Data Protection Regulation provides a solid foundation for ensuring oversight of the controller throughout the entire period of personal data processing. Therefore, a situation should never arise in which the controller is unaware of who, where, or how the personal data of its clients, employees, patients, and the like is being processed.
