Lecture 8: Data Controller and Data Processor Flashcards
What does a data controller do?
Decides certain key elements of the processing, i.e. decides on both the purposes and means of the processing through exercising decision-making power for the purpose and deciding essential means. The data controller should decide in the beginning the purpose and the essential means, e.g. why and how; e.g. type of personal data, categories of data subjects, and duration of the processing.
The processor might have some influence on the means of the processing. True or False?
True. The processor may decide on non-essential means e.g. more practical aspects of implementation, such as the choice for a particular type of hard- or software or the detailed security measures.
What are the obligations of the data controller?
- Art. 31: obligation for both data controller and data processor to cooperate, on request, with the supervisory authority in the performance of its tasks
- Art. 24(1): the controller must implement, review and update where necessary, appropriate technical and organisational measures to ensure that processing is performed in accordance with GDPR. The data controller must be able to demonstrate compliance which is in line with Art. 5(2).
- If there are more than one data controller who jointly determines the purposes and means of processing, they are “joint controllers”. They must, acc. to Art. 26, to determine their respective responsibilities for compliance.
What is a data processor?
Separate entity in relation to the controller processing personal data on the controllers behalf and in accordance with instructions from the controller.
Are the employees and other persons such as temporarily employed staff, acting under the direct authority of the controller considered data processors?
No
What governs the relationship between a data controller and a data processor?
A contract (even when there is use of a sub-data processor), in writing, which sets out the duration, the nature and the purpose of processing, the type of personal data and categories of data subjects and the obligations and rights of the controller
What should the contract between a data controller and a processor mention?
The contract should mention that the data processor: processes the personal data only on documented instructions from the data controller, ensures that the persons authorised to process personal data are under the obligation of confidentiality, takes all the measures requires pursuant to Art. 32 (security of processing), respects the conditions for engaging another processor, assists the data controller for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights, at the choice of the data controllers they delete or returns all the personal data after the end of the provision of services relating to the processing, makes available to the data controller all info necessary to demonstrate compliance and allow for and contribute to audits, inspections, and such.
Joint controllers have equal responsibilities. True or false?
False. they must determine their respective responsibilities for compliance with the obligations under the regulation in a specific agreement.
There can be situations where various controllers successively process the same personal data in a chain of operations, each of these controllers having an independent purpose and independent means in their part of the chain. Are they joint controllers in this case?
No
How do you define joint controllers?
Art. 26(1): where there are 2 or more data controllers who determine the means and the purposes of the data processing operations, they are considered joint data controllers.
Joint controllers may have different responsibilities. In case of a data breach, are they differently liable for it?
No. Art. 26(2): joint controllership leads to joint responsibility for a processing activity, which means that each controller or processor can be held fully liable for the entire damage caused by processing under joint controllership.
What are the main characteristics of a data controller to data controller relationship
- no requirements of a written agreement when a data controller transfers data to another data controller, and they use the data for their own purposes, nor they have to comply with Art. 26
- They need to ensure that a legal basis for transferring the personal data can be found
Should the data controller be accountable under the GDPR?
Yes. As per Art. 5 §2, it states that:
> The controller shall be responsible for, and be able to demonstrate compliance with, paragraph1 (‘accountability’)
Sets out who is responsible for compliance with these principles
In the case of joint controllers, should the agreement be made available to the data subject to any extent?
Yes. “EDPB recommends documenting the relevant factors and the internal analysis carried out in order to allocate the different obligations. This analysis is part of the documentation under the accountability principle”
- The essence of the agreement shall be made available to the data subject
- Data subject may exercise their rights against each of the joint controllers