IDC Names Securiti a Worldwide Leader in Data PrivacyView
The European Union’s General Data Protection Regulation, 2018 (the “GDPR”) grants several rights to individuals with respect to their personal data by imposing responsibilities on organizations, in their respective capacities as data controllers or data processors.
The codification of the responsibilities of data controllers and data processors under the GDPR has widespread implications for businesses impacted by the GDPR’s requirements. This article discusses the roles and responsibilities of data controllers and processors as per the provisions of the GDPR.
The GDPR defines a data controller as a legal or natural person, an agency, a public authority, or any other body that determines the purposes and means of processing personal data alone or in conjunction with others.
On the other hand, a data processor is a legal or natural person, agency, public authority, or other entity that processes personal data on behalf of a data controller.
The GDPR mandates that data controllers and data processors should comply with the provisions of the GDPR in their functions. It is important to note that the roles of data controllers and data processors are ‘functional’ in nature, with different responsibilities being allocated to each role.
Therefore, under the GDPR framework, the status of an entity as a ‘controller’ or a ‘processor’ should be determined as per a factual analysis conducted in light of their actual functions, rather than any formal designation associated with them.
The substantive difference between data controllers and data processors lies in their functions.
Data controllers are entities that determine the means and purposes of data processing. They decide why data processing is required in a particular situation and how such an objective would be achieved. On the other hand, data processors conduct the function of processing in accordance with the instructions of data controllers.
It should be noted that while data processors may exert limited control over how the processing should be conducted, such as choosing a particular type of hardware or software or implementing detailed technical security measures, it is the data controller that determines essential aspects of the means of processing, such as the type of personal data to be processed, the duration of the processing, and the categories of recipients and data subjects.
As per Article 28(10) of the GDPR, if a processor determines the purposes and means of a processing activity, the processor shall be considered a controller in respect of that processing.
As per the definition of a ‘controller’ under the GDPR, there is no limitation on which entity might perform the role of a controller. A data controller could be:
In practice, it is usually an organization, and not an individual within such an organization, who performs the functions of a data controller. It is principally assumed that any processing activity that takes place within an organization is under the control of that organization.
As per Article 26 of the GDPR, where two or more data controllers collectively determine the purposes and means of data processing, they are called joint data controllers. Joint controllers are required to determine their respective responsibilities under the GDPR in a transparent manner by way of a legal arrangement between them, which should duly reflect the respective roles of the controllers with respect to the data subjects.
Such an arrangement should be made available to the data subjects and may include the details of a contact point for the data subjects. It is significant to note that irrespective of the terms of any such arrangement, the data subjects are entitled to exercise their rights under the GDPR in relation to and against each of the relevant data controllers.
Similar to data controllers, a data processor can be any entity, including an organization or an individual. A data controller may choose to engage multiple processors. A processor is a separate entity in relation to the controller, which means that an external organization should process personal data on behalf of the controller.
If a controller organization delegates data processing responsibilities to its own staff or departments, such staff or departments would not be construed as ‘processors’ in terms of the GDPR.
Further, the processor must process personal data on behalf of the controller. Even though a data processor is free to make daily operational decisions regarding the processing of data and may enjoy a certain level of discretion in choosing appropriate technical and organizational measures to serve the controller’s interests, a processor should implement the instructions of the data controller with respect to the purposes of processing and the essential aspects of means of processing. A processor may be held liable or fined if it fails to comply with the controller's instructions or the provisions of the GDPR.
Data subjects have the right to claim against data controllers and data processors if their rights under the GDPR are infringed due to non-compliance by a data controller or data processor. Thus, data processors must always ensure that they must adhere to the instructions of, or the contractual terms as agreed with, the controller.
The GDPR does not define the term “sub-processor”, however, where a data processor decides to outsource part or all of its data processing obligations to a third party with the prior written authorization of the controller, such third party may be referred to as a “sub-processor.”
The data processor remains entirely accountable to the data controller for the activities of the sub-processor. Under the GDPR, the same data protection obligations should be imposed on the sub-processor, as imposed on the processor through a contract with the controller or any other legal act under the applicable law.
Article 24 of the GDPR mandates the data controller to take into account the nature, scope, context, and purposes of any processing activity and the risks posed to the rights and freedoms of natural persons, and consequently implement such appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the requirements of the GDPR.
Under Article 5 of the GDPR, data controllers are responsible for and must be able to demonstrate compliance with the principles of data processing, that is, lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.
Data controllers should also ensure that all processing activities based on consent are lawful and the consent is duly obtained and validly subsisting in accordance with the GDPR. Controllers are also obligated under the GDPR to provide data subjects with specified information where personal data have been obtained in relation to them.
Controllers should also facilitate the exercise of data subjects’ rights and provide timely information on actions taken in response to any requests regarding data subjects’ rights.
The controllers should use only those processors which provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR and protect the rights of the data subjects.
The controller may rely on adherence to approved codes of conduct, as referred to in Article 40 of the GDPR, or approved certification mechanisms, as referred to in Article 42 of the GDPR, as tools that demonstrate compliance with its obligations under the GDPR.
Under the GDPR, data processors are required to provide sufficient guarantees to implement appropriate technical and organizational measures to ensure that all processing activities meet the requirements of the GDPR and protect the rights of the data subject.
The responsibilities of a processor are outlined in a contract between the processor and controller, or defined through any other legal act. Such instruments should, in writing, outline the subject matter, duration, nature, and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. The instruments shall further stipulate that the processor should:
Where a processing activity (in particular, usage of new technologies) is likely to result in a high risk to the rights and freedoms of natural persons, the controllers are required, prior to the processing, to carry out an assessment of the potential impact of such processing activity on the protection of personal data, in accordance with Article 35 of the GDPR (a “Data Protection Impact Assessment” or “DPIA”).
Data controllers are required to retain records of their processing activities. The RoPA might consist of:
To ensure compliance with data protection by design and data protection by default, controllers must, at the time of determining the means of processing, implement such technical and organizational measures, which effectively mitigate the risks posed to the rights of the data subject as a result of such processing activity.
Further, the controller has a continued obligation throughout the processing activity to monitor changes in the nature, scope, or context of the processing or risks posed to the data subjects, to ensure that appropriate and timely measures are employed to protect the rights of the data subjects.
Under the data protection by default framework, controllers should implement such privacy-oriented processing settings by default, which limit the processing of personal data to that necessary in accordance with predetermined and specified purposes.
Article 37 of the GDPR mandates both controllers and processors to designate data protection officers (the “DPOs”) in cases where:
In the event of a personal data breach, data controllers are required to notify both the supervisory authority and the data subjects in accordance with Articles 33 and 34 of the GDPR.
While data processors are not required to directly notify the regulatory authority or impacted data subjects, Article 33 of the GDPR requires them to notify the data controllers of a breach without undue delay upon becoming aware thereof.
Any personal data transfers to another country outside the European Union can take place only when an adequate level of data protection is ensured or there are safeguards in place to ensure the level of protection is essentially equivalent to that currently guaranteed inside the EU. These safeguards include binding corporate rules, standard contractual clauses (SCCs), and ad-hoc contractual clauses.
While relying on SCCs as a cross-border transfer tool, processors must adhere to the documented instructions of the data controller regardless of whether the controller is the importer or exporter of the data. In controller-to-processor agreements, any data breach has to be reported by the importer processor to the controller exporter.
In addition, processors are required to ensure that any onward transfer of the transferred data is subject to specified, explicit and legitimate purposes and such onward disclosure of personal data to a third party can only take place if the data importer is instructed to do so by the data exporter controller. Moreover, data importers must utilize sub-processors only with the authorization of the controller.
By harnessing the power of artificial intelligence, Securiti enables enterprises to comply with the GDPR’s requirements. Securiti is the leading provider of ‘Data Command Center’ that stands for security, privacy, governance and compliance. Its Data Command Center solution offers complete visibility and controls over data across hybrid and multi-cloud environments.
DSR automation, documented accountability, better visibility into data processing operations, automated PI data linking, and other GDPR-compliant worthy features are deeply integrated into Securiti’s ecosystem.
Learn more about how to become GDPR-compliant. Request a demo today.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128