Roles
Different roles according to GDPR
There are different roles according to GDPR when companies process personal data. All companies that process personal data and are subject to the GDPR constitute the processing either as “Processor” or “Controller”.
Who must comply with GDPR - Different roles according to GDPR
Examples of personal data are names, telephone numbers and other data that can be linked to a physically living person. In other words, most companies process personal data. For example personal data belonging to their customers and/or employees. However, it is not an individual at the company who is the controller or processor. Instead, it is the company itself that holds such a role. However, an individual may be responsible if, for example, the individual runs a sole proprietorship. In addition, some companies need to have a Data Protection Officer. Below you can read a summary of these different roles under GDPR.
Controller according to the GDPR
It is the controller who determines the purpose of the processing and the method of processing. That is, how and why personal data should be processed. It is not possible to transfer the responsibility as a controller to someone else. However, it is possible to transfer and entrust the actual performance of the processing of personal data.
Joint controller according to article 26 of the GDPR
It is possible for several actors to be joint controllers together according to Article 26 of the GDPR. However, in such cases it is important to regulate the relationship between the joint controllers.
This shall be done in order to ensure that they comply with all provisions of the GDP. For example, the rights of data subjects. Under the GDPR, the responsibilities of the joint controllers must be apparent from a “joint arrangement”. This should be regulated in writing, in order to be proven.
Processor according to the GDPR
A processor processes personal data on behalf of another actor who is the data controller. The processor may only process the personal data in accordance with the controller’s instructions. Examples of companies that are usually processors:
- Provider of cloud services, such as cloud storage.
- Accounting firms and accounting system provider.
- Programming companies and other types of consultants.
Processors and controllers need to keep a record of their processing operations in certain cases
Both processors and controllers need to keep a record of their processing activities in certain cases. This is stated in Article 30 of the GDPR. If a company has more than 249 employees, they must keep such a record. This applies regardless of whether it is a data processor or a data controller. However, smaller companies may also need to do so. Such as if they process sensitive personal data and it is not temporary. For example, if a company has employees and thereby processes sick leave, which is sensitive personal data.
Please note that the company does not need to keep a record of all processing activities. It is sufficient to keep a record of the processing activities to which obligations apply. However, if you are unsure which processing activities GDPR requires to be listed in a record, it is better to register more processing activities than too few.
The difference between controllers and processors
Processors receive instructions from the controller on why and how to process the personal data. The processor thus processes personal data on behalf of another party that is the controller. It is the controller who determines the purposes of the processing. This in turn means that the processor may not process the personal data in violation of the instructions.
The controller and the processor shall enter into a written data processing agreement in which they regulate the rules relating to the processing, in accordance with Article 28 of the GDPR. Oral data processing agreements are not valid under the GDPR.
The relationship determines whether an actor is a controller or processor
It is not the wording or content of a data processing agreement that determines whether an actor is a data controller or not. The same applies to whether the actor is a data processor. It is the actual relationship between the parties that determines the roles. This means that it is not possible to agree on who will have what role.
A company may be a data controller for certain processing operations. And a data processor for other processing activities. For example, if a company has employees and provides a cloud service, where their customers can store backup files containing personal data. When the cloud service provider processes personal data of its own employees, they are data controllers. But when processing the uploaded backup files from customers, they are data processors.
Data Protection Officer according to the GDPR
Some companies need to have a data protection officer (DPO). The data protection officer monitors the company’s compliance with the GDPR. For example, by advising the management in the field of data protection and being the contact person and cooperating with the data protection authority in the event of supervision. In addition, the company must involve the DPO when carrying out an data protection impact assessment. The same applies if the company considers making such an assessment prior to a new processing of personal data. If the company appoints a data protection officer, this shall be notified to the supervisory authority and registered there.
The controller or processor is responsible for ensuring that they comply with the GDPR. The data protection officer has no personal responsibility for this. In addition, it is prohibited for the company to penalise the data protection officer for performing his or her tasks, when this leads to something that, for example, the company does not like. It may be the case that the data protection officer advises the company not to carry out a certain processing that they really want to do.
A data protection officer needs to have certain knowledge in order to be able to perform its duties in the role. For example, knowledge of GDPR, the core business of the company and being able to create a data protection culture within the business. In addition, personal qualities can play an important role as well. It is beneficial if the data protection officer is a good leader, who dares to speak in front of large groups and has good communication skills.
A data protection officer shall have an independent position in the company. However, this does not mean that the person may not have other duties within the company. This is allowed, provided there is no conflict of interest. For example, there may be a conflict of interest if a person in the management is also the data protection officer of the company. Another example could be if a person makes decisions in the company that deal with the core business and it concerns a processing of personal data.
More information about GDPR
Different types of personal data breaches according to GDPR
According to the GDPR, a personal data breach means a security incident that leads to the accidental or unlawful destruction, loss or alteration of personal data. It may also lead to unauthorised access to, or disclosure of, personal data. Examples of personal data breaches are when a computer containing personal data crashes and there is no backup, or misdirected email containing personal data. Companies shall prevent personal data breaches by taking appropriate technical and organisational security measures. Examples of measures to protect personal data may be to have backup files and implement internal procedures for employees.