Obligations of controllers and processors Flashcards
What responsibilities do controllers have?
Article 5(2) - Accountability
Article 24 - Responsibilities (implement technical and organisational measures and policies)
Article 25 - Privacy by design/default
Article 26 + 82 - Joint controllers and liability in cases of compensation
Article 27 - Representatives when not established in EU
Article 28(1-3) - Only use processors providing sufficient guarantees and make data processing agreement
Article 30 - Records of processing activities
Article 31 - Cooperation with DPA
Article 32 - Security of processing; tech/org measures
Article 33 - Notification of DPA of data breach
Article 34 - Notification of subject of data breach
What are a processor’s obligations?
Article 28
(1) Provide sufficient guarantees to controller to implement tech/org measures to be compliant with GDPR
(2) Must obtain consent from controller before engaging sub-processor
(4) Liable for performance of sub-processor’s obligations
(3) Enter into contract
Article 29 - Only process data on instructions from controller
Article 30 - Keep records of processing activities
Article 33(2) - Notify controller of data breach
Article 37 + 38- Designate DPO
Article 44 - Transfers only when compliant with chapter V
Article 82 - Processor liable in regards to compensation but exempt if it proves that it is not in any way responsible for the event giving rise to the damage.
What are a processor’s obligations?
Article 28
When is a DPIA in particular required?
Article 35(3)
(a) Systematic and extensive evaluation of persons based on automated processing, including profiling, on which decisions are based that produce legal effects or similarly significantly affects a person
(b) Processing on a large scale of Art. 9-data and Art 10-data
(c) Systematic monitoring of a publicly accessible area on a large scale
What must a DPIA contain?
Article 35(7)
(a) Systematic description of processing + purposes
(b) Assessment of necessity and proportionality
(c) Assessment of the risks to rights and freedoms
(d) Measures envisaged to address the risks; safeguards, security measures mechanism to ensure protection
Are there any exceptions to the requirement of a DPIA?
Article 35(5) A DPA has made a list of processing operations for which no DPIA is required (under the consistency mechanism)
Article 35(10) Processing pursuant to (c) and (e) of Article 6 (legal obligation + public interest) has a legal basis, and thus a DPIA has already been carried out in the context of the adoption of that legal basis.
Is a DPIA permanent/final?
Article 35(11) When there is a change of the risks, the controller shall carry out a review.