Data protection rules involve a number of different stakeholders with varying roles, prerogatives and levels of responsibility. The data controller is defined in article 4-7 of the GDPR as "the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing". It is therefore the company or administration which decides to implement a processing operation and which therefore assumes responsibility for it.
Depending on the complexity of the processing, there may be several data controllers. In this case, they will be referred to as joint controllers. This is referred to as a horizontal relationship in which they jointly determine the purposes and means of the processing.
General obligations of the Data Controller
The data controller assumes full responsibility for implementing the processing. He determines the contours of the processing to be carried out within the company. In practice, this overall role involves a large number of obligations:
Draw up a written document specifying the respective obligations of each of the parties involved in the processing operation;
Appoint a representative within the European Union (for data controllers and processors located outside the European Economic Area);
Appoint a Data Protection Officer when required
Keep a record of data processing activities (ROPA) which makes it possible to identify data processing operations and to obtain an overview of what is done with personal data. The record is provided for in article 30 of the GDPR. It helps to document compliance. As an inventory and analysis document, it must reflect the reality of personal data processing.
Carry out a data protection impact assessment (if the conditions are met). A Data Protection Impact Assessment (DPIA) is an analysis that helps to construct privacy-friendly data processing and to demonstrate the compliance of its processing with the GDPR.
Inform the data protection authority and the persons concerned (mainly candidates) in the event of a data breach. The GDPR requires data controllers to document, internally, personal data breaches and to notify breaches presenting a risk to the rights and freedoms of individuals to the data protection authority and, in certain cases, where the risk is high, to the individuals concerned.
Provide data subjects with the mandatory information. When processing data, the data controller is obliged to inform the data subjects of the categories of data collected, their uses, the purposes of the processing, etc.
Process requests to exercise rights (access, erasure, objection, etc.). The persons concerned by the processing of personal data have rights enabling them to keep control of the information concerning them. The data controller must explain to data subjects the procedure (where, how and to whom to apply?) for exercising these rights in practice.
Supervision obligations in the context of subcontracting
When using a subcontractor, the controller must seek out a service provider with adequate guarantees in technical and organisational terms, complying in all respects with the requirements of the GDPR. The controller must document the controller's instructions regarding data processing by the processor, in order to keep a written record of them.
To ensure that the processor carries out its tasks properly, the controller may :
- require the processor to provide all the information necessary to demonstrate compliance with their respective obligations ;
- carry out an audit or appoint an auditor to verify the compliance of the processor with the requirements of the GDPR, etc.
The role of the Data Controller is fundamental. In addition to their role as driving force and decision-maker, they are subject to various obligations which they must respect in order to ensure the confidentiality of information and respect for privacy. As such, they must ensure compliance with the security measures put in place by the company, guaranteeing a level of security adapted to the risk.
What are the penalties?
Data controllers are liable to administrative penalties if they fail to meet their obligations. The amount could be up to €20 million, or, if it concerns a company, up to 4% of annual worldwide turnover.
Summary table of the main obligations
Nature of the obligations | Data Controller | Data Processor | Joint data Controller |
---|---|---|---|
Draw up a written document setting out the respective obligations of each of the parties involved | Yes | Yes | Yes |
Document the data controller's instructions concerning the processing of personal data by the processor | Yes | Yes | Yes |
Obtain and retain prior written authorisation from the data controller to use the services of a processor | No | Yes | Yes |
Keep a record of the data processing operations carried out | Yes | Yes | Yes |
Carry out a data privacy impact assessment (PIA / DPIA - if the criteria are met) | Yes | No | Yes |
Inform the other parties involved in the processing (data controller, processor and joint data controller) in the event of a suspected breach of the GDPR | No | Yes | No |
Inform the data protection supervisory authority and/or the persons concerned in the event of a breach of personal data | Yes | No | Yes |
Provide data subjects with mandatory information | Yes | No | Yes |
Process requests to exercise rights (access, deletion, opposition, etc.) | Yes | No | Yes |
Assist the data controller in handling such requests | Yes | Yes | No |