Controllers and Processors (3) Flashcards
What is a Data Protection Authority (DPA) or Supervisory Authority (SA)?
An entity appointed to enforce privacy or data protection laws and regulations in a particular jurisdiction
In what 2 scenarios can a processor become a controller?
Retain data for records (beyond the original engagement)
Process beyond instructions of controller
How is a data controller defined?
Article 4
natural or legal person, public authority, agency or body, which alone or jointly with others, determines the purposes and means of processing
Purposes and means: why, how, what data, how long, where, by whom
Does the controller have to have access to the data to be qualified as a controller?
No
What are the 3 obligations for controllers under a joint controllership?
- jointly determine purpose and means
- determine respective responsibilities for compliance with GDPR (particularly inform and respond to data subjects)
- designate a contact point for data subjects
- Essence of arrangement must be made available to data subject
- Data subjects can exercise their rights against either controller
What necessitates a joint controllership?
(EDPB Guidelines 7/2020)
Joint Controllership in 2 Forms:
- A common decision by two or more entities
- Converging decisions by two or more entities
Decisions complement each other and are necessary for processing to occur
Processing not possible without both parties’ participation
How is a processor defined?
Article 4
a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
What are the two basic conditions to qualify as a processor under EDPB Guidelines?
separate entity in relation to controller
processes personal data on controller’s behalf
What are 4 processor requirements under Article 28 and 30?
Article 28 and 30
- processes on written instructions only
- assists and informs controller on GDPR infringements
- ensures confidentiality and technical and organization measures
- keeps record of processing activities
Why is SWIFT an example of a factual controller?
Transferred personal data in response to subpeona by US Treasury. Decision to transfer data designated SWIFT as a controller, even though contractual designation was processor.
What are considerations as part of pre-contractual due diligence for data processors?
Technical and organization measures to safeguard data
Data protection knowledge
Recent breaches
Under investigation?
Accreditation
Policy framework
Sub-processors
What components should be included in a processor contract?
(Article 28) a contract must be in place that includes:
subject matter, duration, nature of processing
types of personal data
categories of data subjects
obligations and rights of controller
processor responsibilities
What are contractual terms to engage processors (under Article 28)?
process on documented instructions only
ensure confidentiality
implement appropriate security
controller’s consent to engage processors and flow down contractual terms to subcontractor
assist with data breach notifications
delete or return personal data
assist controller in providing for data subject rights
demonstrate GDPR compliance
contribute to audits
What are the 5 main building blocks in the definition of controller per GDPR?
natural or legal person, public authority, agency, or body
determines
alone or jointly with others
purposes and means
of the processing of personal data
What determines the controller status?
factual elements or circumstances (not necessarily legal context)
What are the controller’s responsibilities related to non-essential means?
must be able to demonstrate that processing is performed in accordance with GDPR (article 24)
use only processors providing sufficient guarantees to implement technical and organization measures (article 28)
ensure data are subject to appropriate security (article 32)
T/F It is necessary for a company to have actual contact with personal data to be a controller of that data
False
What are the two forms of determination for a joint controllership?
common decision - decide together
converging decision - decisions complement each other and are necessary for processing to take place
Is a contract required between controllers and processors?
yes
the essence of arrangement should be available to data subject
Can a processor engage another processor?
Not without prior specific and general written authorization of the controller
controller may object
What 3 conditions are required regarding the use of processors?
Recital 81
- only use processors providing sufficient guarantees
- carrying-out of processing should be governed by a contract or other legal act
- processor must return or delete personal data after completion of processing