Module 3: Controllers & Processors

Question 1

What is a data subject?

Answer 1

An individual about whom information is being processed.

Question 2

What is a controller?

Answer 2

An organisation or individual with the authority to decide how and why personal data about subjects is to be processed.

Question 3

How does GDPR define a data controller?

Answer 3

Article 4(7) - natural or legal person, public authority, agency or other body which alone or jointly with others determined the purposes and means of processing of personal data”

Question 4

When might two organisations be considered joint controllers?

Answer 4

When both jointly determine the purposes and means for processing a data set.

Question 5

Under Article 26, what are the obligations for joint controllers?

Answer 5

To determine their respective responsibilities for compliance with the obligations under GDPR in a compliant manner - e.g. data subject rights, DSARs, contact points and making the essence of their arrangement available to data subjects

Question 6

Irrespective of the terms of the arrangement between joint controllers, data subjects can…

Answer 6

Exercise their data rights against either controller.

Question 7

An example of joint controllers.

Answer 7

A travel agency sharing data with airlines and hotels; each controller is responsible for its own processing.

• Two controllers sharing a black list
• Fincrime / police

Question 8

What is a processor?

Answer 8

An org or individual that processes data on behalf of the data controller (Article 4(8))

Question 9

Under Article 29, what does a processor do?

Answer 9

Processes on written instruction only.

Question 10

Under Article 28, what does a processor do?

Answer 10

Provides a service to the controller and assists and informs them of any GDPR infringement.

Question 11

Under Article 28, what does a processor have the obligation to do?

Answer 11

Protect personal data and ensure confidentiality and appropriate technical and organisational measures are in place.

Question 12

Under Article 30, what must a processor do?

Answer 12

Demonstrate compliance by keeping a record of processing activities on all categories of personal data processing being carried out on behalf of the controller. It has enhanced obligations under GDPR.

Question 13

Under Article 28, if a processor infringed on the regulation by determining the purposes and means of the processing, the processor will…

Answer 13

Be considered a controller in respect of that processing.

Question 14

In relation to processors, an organisation should…

Answer 14

• Choose reliable processors
• Maintain quality control and compliance throughout the duration of the arrangement
• Frame the relationship in a contract or legally binding act
• Do due diligence to check that the processor has appropriate technical and organisational measures to secure data, and a good knowledge of data protection, before signing any contract.

Question 15

What should a controller check about a processor before entering a contract, aside from due diligence?

Answer 15

Whether they are under investigation, have any high profile recent breaches, their accreditations, policy frameworks and any sub processors

Question 16

What should a controller <> processor vendor contract include under Article 28?

Answer 16

The subject matter, duration and nature of processing, along with the types of personal data and categories of data subjects. It should also outline obligations and rights of. the controller, and processor responsibilities.

Question 17

A processor should…

Answer 17

Process on documented instructions only
Ensure confidentiality
Implement appropriate security
Seek consent from controller to engage further processors
Assist with breach notifications
Delete or return personal data
Assist the controller with DSRs
Demonstrate GDPR compliance
Contribute to audits and inspections

Question 18

How should an org manage vendor risk?

Answer 18

Third party due diligence
Contracts and agreements
The right to audit

Question 19

What is a Data Protection Authority (DPA)?

Answer 19

AKA a supervisory authority under GDPR - enforces privacy or data protection laws and regs (e.g. ICO)