Roles
Controller is a central role under the GDPR
The controller is a central role under the GDPR. Both legal and natural persons can be data controllers. The same applies to authorities and institutions. Below you can read more about what it means to be a controller which is a central role under the GDPR.
“Processor” or “controller”.
When a company processes personal data, it does so either in the role of “processor” or “controller”. It is not an individual working in the company who holds the role, but rather the company as such. However, individuals may have such a role in certain cases. For example, individuals who run a sole proprietorship.
What determines who the controller is
What determines who holds the role of data controller is assessed based on the determination of the processing. The one who determines the means and purposes of the processing is the data controller. That is, the one who decides how and why the personal data should be processed. It is therefore a question of who determines the purpose of the processing of personal data and how this is to be done.
Joint controller
It is possible for two or more companies to be joint controllers. Please note that it is important to regulate the relationship between them, in order to be able to fulfil the obligations that controllers have under the GDPR. For example, comply with the rights of data subjects.
According to Article 26 of the GDPR, the joint controllers shall regulate their “joint arrangement” between themselves. In order to prove compliance with Article 26 of the GDPR, the joint controllers should enter into a written agreement between each other. In the agreement, they can regulate how to fulfil their responsibilities as data controllers and how the processing should be carried out.
Assign responsibility
It is not possible for a controller to transfer its responsibility for the processing of personal data. However, it is possible to transfer the execution of the processing to another actor. In other words, a data controller always has that role under the GDPR for the specific processing in question.
However, a controller may engage a data processor pursuant to Article 28 of the GDPR and instruct the processor to process the personal data in a certain way. In this case, the processing is carried out by the processor, but on behalf of the controller. And it shall be conducted in accordance with the controllers instructions. The processing itself is possible to transfer to someone else to carry out, but it is still the controller who has decided how and why the personal data should be processed.
Take appropriate technical and organisational measures
A controller must ensure that they process the personal data in a secure manner. Personal data shall be protected against accidental or unlawful destruction, loss or alteration. Measures shall also be taken to protect against unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. This shall be done by implementing various appropriate technical and organisational measures. The more sensitive the personal data, the higher the security requirements.
Examples of technical and organisational measures
Multi-factor authentication for login
Encryption of files
User permissions
Backup storage
Controllers must have a record of processing activities in certain cases
Some companies that are data controllers need to keep a record of their personal data processing operations. The same applies to personal data processors. According to Article 30 of the GDPR, it must be in writing and available in electronic form. In the event of a request from the national supervisory authority, this shall be made available to the supervisory authority.
Where the company has 250 or more employees, the company shall draw up a record of processing activities. In addition, smaller companies need to do this if they process sensitive personal data or if the processing may pose a risk to the rights and freedoms of data subjects. This is subject to the condition that it does not concern temporary processing. However, this does not mean that smaller companies need to keep a register of all processes, just because one processing meets the requirement. Instead, they only need to keep records of the processings that meet the requirement.
If a company has employees and therefore processes their sick leave, the company processes sensitive personal data (health data). As this processing takes place regularly and is not temporary, the company needs to keep a record of this specific processing activity.
Individuals can be data controllers and data processors
It can be a private individual who is a data controller or data processor. For example, if you are a sole proprietor. The same applies if a person has set up a camera on their property or apartment, which is filming a public place. In such cases, it may also be a requirement that the person first needs to obtain permission for their camera surveillance from the competent authority. Many individuals make the mistake of having a ring door bell with a camera aimed at a public road. Note that it is extra sensitive if the camera points to someone else’s front door, as this means that it is possible to monitor when they leave their home or come home.
More about Roles in GDPR
Companies that process personal data in the role of data processor according to GDPR
A company acts as a data processor under the GDPR, when it processes personal data on behalf of another company. Being a data processor means that you process personal data according to someone else’s instructions. For example, an accounting firm processes personal data on behalf of its customer, which appears in the customer’s invoices or payslips, for the purpose of managing the customer’s accounts. In such cases, the accounting firm is the data processor at the time of processing such data, and the customer is the data controller. Please note that the accounting firm, on the other hand, is the data controller when processing the personal data of its own employees.