Controllers and Processors (3) Flashcards
What is a Data Protection Authority (DPA) or Supervisory Authority (SA)?
An entity appointed to enforce privacy or data protection laws and regulations in a particular jurisdiction
In what 2 scenarios can a processor become a controller?
Retain data for records (beyond the original engagement)
Process beyond instructions of controller
How is a data controller defined?
Article 4
natural or legal person, public authority, agency or body, which alone or jointly with others, determines the purposes and means of processing
Purposes and means: why, how, what data, how long, where, by whom
Does the controller have to have access to the data to be qualified as a controller?
No
What are the 3 obligations for controllers under a joint controllership?
- jointly determine purpose and means
- determine respective responsibilities for compliance with GDPR (particularly inform and respond to data subjects)
- designate a contact point for data subjects
- Essence of arrangement must be made available to data subject
- Data subjects can exercise their rights against either controller
What necessitates a joint controllership?
(EDPB Guidelines 7/2020)
Joint Controllership in 2 Forms:
- A common decision by two or more entities
- Converging decisions by two or more entities
Decisions complement each other and are necessary for processing to occur
Processing not possible without both parties’ participation
How is a processor defined?
Article 4
a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
What are the two basic conditions to qualify as a processor under EDPB Guidelines?
separate entity in relation to controller
processes personal data on controller’s behalf
What are 4 processor requirements under Article 28 and 30?
Article 28 and 30
- processes on written instructions only
- assists and informs controller on GDPR infringements
- ensures confidentiality and technical and organization measures
- keeps record of processing activities
Why is SWIFT an example of a factual controller?
Transferred personal data in response to subpeona by US Treasury. Decision to transfer data designated SWIFT as a controller, even though contractual designation was processor.
What are considerations as part of pre-contractual due diligence for data processors?
Technical and organization measures to safeguard data
Data protection knowledge
Recent breaches
Under investigation?
Accreditation
Policy framework
Sub-processors
What components should be included in a processor contract?
(Article 28) a contract must be in place that includes:
subject matter, duration, nature of processing
types of personal data
categories of data subjects
obligations and rights of controller
processor responsibilities
What are contractual terms to engage processors (under Article 28)?
process on documented instructions only
ensure confidentiality
implement appropriate security
controller’s consent to engage processors and flow down contractual terms to subcontractor
assist with data breach notifications
delete or return personal data
assist controller in providing for data subject rights
demonstrate GDPR compliance
contribute to audits
What are the 5 main building blocks in the definition of controller per GDPR?
natural or legal person, public authority, agency, or body
determines
alone or jointly with others
purposes and means
of the processing of personal data
What determines the controller status?
factual elements or circumstances (not necessarily legal context)