11 February 2020
Both data controllers and data processors have new obligations under the GDPR, but their responsibilities vary. Generally, data controllers have more accountability and liability, but processors will have new responsibilities and new added layers of liability written into their roles.
Are you a controller or a processor? Keep reading to find out what parts of the legislation impact your operations most and how you need to work together with the other party to maintain GDPR compliance.
The new definitions of what constitutes a data controller and data processor are outlined in Article 4 of the GDPR.
A data controller is: "a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing of personal data."
Data processors process personal data on behalf of the controller.
Here's an example:
Your website collects email addresses and other personal data provided by visitors and customers for sales and marketing purposes. All the data collected is then sent on to Marketing and Promotions Ltd. for use in email marketing, SEO, and social media campaigns.
If you provide the data and the instructions, then you are the data controller and Marketing and Promotions Ltd is the data processor.
If you provide the data and leave Marketing and Promotions Ltd to come up with the means of processing, then you are both data controllers and Marketing and Promotions Ltd is also the processor.
Why does it matter who provides the "purposes and means of processing?"
The new GDPR distinguishes between these roles for compliance purposes. The European Commission's guidance holds the data controller to be the principal party responsible for collecting, managing, and providing access to data.
For example, if the data subject exercised the to request her data, the controller would access it from their servers or from the processor they contracted to handle the data.
The law distinguishes between controllers and processors for accountability. As a result, each receives different assigned roles for compliance.
Let's break down each party's role according to legislative requirements.
Only data controllers collect personal data from data subjects. Because of this, data controllers are also responsible for determining their legal authority to obtain that data.
Data controllers need to establish a legal precedent for collecting the data using one of the six bases for data collection featured in the GDPR.
Any time a data processor becomes involved in collecting data, they become a data controller and all of the above responsibilities apply.
Controllers are obligated to use data processors who follow the legislation.
Moreover, any time a data controller and data processor work together, they must use a clearly defined contract to do so. The contract must outline the instructions the processor must follow when processing the data.
Include the following GDPR-mandated information in each contract:
The creation of the contract is the responsibility of the data controller. Data processors are obligated by law to follow the instructions provided by the controller.
If the controller fails to outline the required processes and leaves the methods and means up to the processor, then the processor morphs into the controller in the eyes of the law.
Data processors aren't only obligated to uphold the contract. They must also inform the controller if something in the terms infringes on the GDPR or another law.
In addition to having a contract, both controllers and processors must agree to a code of conduct or a recognized certification process that specifies how the agreement meets GDPR standards.
The GDPR holds data controllers accountable for the collection, use, and disposal of personal data in most cases.
However, data controllers were already previously liable under both European legislation and national law.
What's new is the added accountability and liability for data processors.
Under the new law, individuals whose data you hold may send queries or complaints to either the data controller or the data processor. Data processors are liable when they work outside of instructions provided to them by the controller or when they violate the terms of the GDPR.
Both the controller and processor must engage in security practices that are compliant with the GDPR. Each party involved in the contract has an obligation to protect data from:
The GDPR outlines the measures in Article 32 and applies them to the controller and processor equally.
Agreed security measures must appear in the contract, but the guidance also requires both parties to go one step further.
In addition to using adequate and appropriate security measures, both the controller and processor must adhere to the approved code of conduct or certification mechanism agreed upon.
The code of conduct is outlined in Article 40(2).
Controllers must use data protection impact assessments whenever they instruct a processor to carry out a high-risk activity. Each country's Supervisory Authority outlines what it considers to be high-risk activities.
Each impact assessment must feature a minimum of four essential elements:
Data protection impact assessments are carried out in conjunction with the Supervisory Authority and the Data Protection Officer if one is appointed.
When should controllers carry out a data protect impact assessment?
Here are a few instances:
Transparency is a crucial goal of the GDPR
Article 5.2 says that data controllers "must be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject."
Transparency needs to continue throughout the life of the data from collection to deletion.
Processors aren't explicitly mentioned in the text.
Data controllers are now required to keep records when they process sensitive information or are an organization with greater than 250 employees.
These records outline the basis for your data collection and include the details related to:
Data processors must also now keep records. Their records relate to the processes controllers ask them to carry out and include:
All records must be both in writing and electronic form and should be ready to present to the Supervisory Authority if requested.
Controllers must notify the Supervisory Authority and the data subject whenever a data breach looks as though it will put the rights and freedoms of data subjects at risk. Reports made to the Supervisory Authority need to be submitted within 72 hours of finding the breach.
If a processor finds a security breach, they must notify the relevant controllers impacted by the breach.
Both controllers and processors must appoint a Data Protection Officer (DPO) when they work with data and meet one or more of the following criteria:
If appointed, a DPO's role is to:
Data controllers and data processors have different obligations under the GDPR, but you'll also find that their roles are complementary in reaching the goals of transparency and accountability.
Data controllers perform much of the regulatory legwork, while processors see a more prescriptive role. However, they both have new liabilities under the law that makes it critical for each to uphold their end of the bargain. Working together promotes compliance and helps both parties avoid the new, hefty fines that come with violating the rules.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.