The Data Controller (“DC”) is the person who, alone or jointly, determines the purpose and means of the processing of personal data; in other words, is the person who decides why other’s personal data is processed and how it would be processed. Art. 4 (7) GDPR determines the purpose and means of the processing of Personal Data (PD).
The data processor (DP) is an entity that processes personal data for the account, on instruction and under the authority of the Data Controller (DC)-other than the employee of the DC. This enity can be a natural or legal person, public authority, agency or another body. Art. 4 (8) GDPR process Personal Data (PD) on behalf of the Data Controller (DC).
Comply with the General Data Protection Regulation
Adopt appropriate technical organisational measures which implement the date protection principles conform to data protection by Design and Default.
Count with documentation that proves the measures you have in place to comply with the General Data Protection Regulation, the effectiveness of them and how they are reviewed and updated.
Data Processor (DP)
If needed, only hire a Date Processor (DP) that provides sufficient guarantees in relation to the technical and organisational measures as required by the General Data Protection Regulation. You have to make a written contract.
Records of Processing Activities
Maintain an internal document that demonstrates how and why the personal data is being processed (art. 30 (5) General Data Protection Regulation).
Cooperation with the Authority
Cooperate with the Supervisory Authority with the performance of its tasks (art. 57 General Data Protection Regulation).
Security of Processing
Respect the points set in the General Data Protection Regulation when implementing technical and organisational measures that ensure a level of security appropriate to the risk.
Notification of personal Data breach
In case a data breach occurs and is likely to result in a high risk to rights and freedoms of a natural person, notify the data subject without undue delay (art. 34 (3) General Data Protection Regulation).
Data Protection Impact Assessment (DPIA)
Carry out one when the processing is likely to result in high risk to the rights, freedoms or in compliance with codes of conduct or seeking the view of data subjects (art. 35 (5) (10) General Data Protection Regulation).
If the result of a Data Protection Impact Assessment (DPIA) is “high risk in the absence of measures”, consult the authority prior the processing.
Designation of a Data Protection Officer (DPO)
Appoint a Data Protection Officer (DPO) when a Data Controller (DC) is public entity (no courts) or the processing requires regular and systematic monitoring of data subjects on a large scale or is special data or criminal records
Position of the Data Protection Officer (DPO)
Ensure that the Data Protection Officer (DPO) is involved, properly and in a timely manner in all the issues related to the processing, protect its independence and provide with the necessary resources to fulfil its tasks.
Make an arrangement that determines the duties of each controller, keep the essence available to data subjects and designate a contract point for them.
Data Controller (DC) established outside the European Union
Designate in writing a representative in the EU to be addressed in all the issues related to the processing of personal data (art. 27 (2) General Data Protection Regulation).