As mentioned earlier, there are situations where there are overlaps and gray areas, making it harder to know if you are the data controller or the data processor. The GDPR distinguishes between a “controller” and a “processor” to recognize that not all organizations involved in the processing of personal data have the same level of responsibility. The GDPR defines these terms: Data Protection Officer: A data protection officer is a role within a company or organization whose job it is to ensure that the company. A company uses an accountant to do its books. When the accountant acts on behalf of his client, he is responsible for the processing with regard to the personal data contained in the accounts. Indeed, accountants and similar professional service providers work within the framework of a number of professional obligations that require them to take responsibility for the personal data they process. For example, if the accountant discovers misconduct in the company`s billing, he or she may be required to report the abuse to the police or other authorities, depending on the nature of his or her supervisory duties. An accountant would not act on the instructions of the client, but in accordance with his own professional obligations and therefore as an independent auditor. In addition to applying appropriate and appropriate security measures, the controller and processor must comply with the approved code of conduct or certification mechanism on which they have agreed. • Design, build and implement IT processes and systems that enable the Data Controller to collect personal data.• Use tools and strategies to collect personal data.• Implement security measures that protect personal data.• Store personal data collected by the Data Controller.• Transfer data from the Data Controller to another organization and vice versa. If the company decides to change the purpose of the processing of the personal data collected, the legal basis on which it relies must be reviewed. Depending on the magnitude of the change (if it is compatible with your original purpose), companies may be able to rely on the same legal basis. Unless the legal basis is consent, in which case it must be updated.
The subcontractor is never the owner of the personal data. The same applies to the controller, who is not the owner of the personal data of its customers, interested parties, employees, etc. The personal data belongs to the natural person. For simplicity, you can identify the organization as a whole as a controller (for example.B. you can use the name of the club or group in your privacy information for individuals). However, for legal reasons, the controller is in fact the members concerned who make the decisions regarding the processing by the organization. Data controllers are now required to keep records if they process sensitive information or if they are an organization with more than 250 employees. Under the new law, the people whose data you hold can send requests or complaints to the controller or data processor. Subcontractors are liable if they work outside the instructions given to them by the controller or if they violate the provisions of the GDPR. Two terms used in the text of the GDPR and everything written around the GDPR, from the guidelines of the Article 29 working group to the recommendations of the supervisory authorities, are the controller and the processor. Employees of the data controller are not classified as data processors.
As long as a person acts within the framework of his or her professional obligations, he or she acts as a representative of the controller. In accordance with Article 29 of the GDPR, a processor may only process personal data in accordance with the controller`s instructions, unless required by law. If they are forced to take this measure, they will no longer act on the instructions of their client, but according to their own professional obligations and therefore as an independent controller. The GDPR describes the measures of Article 32 and also applies them to the controller and processor. Where a contract is concluded between a processor and a sub-processor, it must contain the same data protection obligations as originally set out in the contract between the processor and the controller. Controllers and processors have their obligations to customers, regulators and more in the context of personal data protection and the GDPR and beyond. That is why there are contracts. According to the GDPR, joint controllers have a common purpose and jointly agree on the purpose and means of data processing.
However, this does not apply if the same data is used for different reasons. There are situations where an entity can be a data controller or a data processor, or both. A data controller and a data processor have different roles and responsibilities, so it`s important to know what role you play. For some companies and their third-party service provider, the distinction may not be as clear as in the example above. For this reason, the GDPR has defined the different roles and responsibilities expected of a data controller or data processor. Data processors must now also keep records. Their records refer to the processes that controllers request from them and include: the controller or data controller is simply the organization (a legal entity, agency, public authority, etc.) or natural person who, alone or depending on the organization and processing of personal data in cooperation with others, defines what should happen to personal data (and also collects personal data) and is obviously the key to the protection of personal data. The gym is responsible for the processing of personal data processed in the context of invitations.
The gym determines the purposes for which the personal data will be processed (to send invitations addressed individually to the event) and the type of processing (e-mail merging of the personal data using the address data of the data subject). The printing house is a processor that processes personal data only on the instructions of the gym. Where specialised service providers process data in the context of their own professional obligations, they will always act as controller. In this context, they cannot agree to hand over or share the obligations of the controller with the customer. The roles and responsibilities of data controllers and data processors are becoming increasingly important as companies strive to maintain GDPR compliance. Understanding the differences between the two and how your organization`s role in a particular scenario changes your responsibilities is critical to compliance. Processors do not have the same level of legal obligations as controllers under the GDPR. Subcontractors do not have to pay data protection fees. A data processor would be a separate business entity (whether a company, partnership or sole proprietor) that serves the interests and executes the instructions of the controller of personal data. You are the processor if you are commissioned or mandated by a data controller to perform some of the following tasks: In other words, the GDPR classifies you as part of the controller and not as a separate party responsible for processing the data on behalf of the controller. .