The way they process, store and manage this data determines whether the regulations define them as controllers or processors. Data controllers are natural or legal persons, public authorities, agencies, or other bodies determining the purposes as well as means of processing the personal data. Data processors are a natural person or legal entities, public authorities, agencies or other bodies processing personal data on behalf of the controller.
In the event of a data breach, both controllers and processors need to immediately determine the extent of the damage and take appropriate action. Furthermore, depending on the nature of the issue, the organisation must also inform the individuals whose rights and freedoms have been jeopardised.
Under the General Data Protection Regulation, controllers are the primary party responsible for compliance. However, processors also have a host of obligations and they are now directly liable towards data subjects in the event of non-compliance. In that sense, the new regulations provide a cumulative liability regime.
When damages occur because of an unlawful processing of personal data, then the controller will be liable. The controller has to be able to demonstrate it complies with the basic principles of data protection and other provisions. While the terms remain similar for controllers, processors have increased liability under the GDPR. According to the changes, processors will have numerous obligations.
Furthermore, processors will also need to comply with requirements imposed by way of contract, not just those they must automatically fulfil. The proportional liability also requires the demonstration of negligence and non-compliance.
For the processor to be held liable, it must be shown that it failed to comply with its obligations, that this resulted in real damages, and that there is a causal relationship between the non-compliance taking place and any damage. Once the controller has chosen a suitable processor, it must put in place a contract or other legal act that meets all the requirements of Article 28 3 and give the processor documented instructions to follow either in the contract or separately.
In particular, Article 28 3 h explicitly requires the processor to allow for and contribute to audits and inspections, carried out either by the controller or a third party appointed by the controller.
The methods used to monitor compliance and the frequency of monitoring will depend on the circumstances of the processing. A controller is primarily responsible for its own compliance and ensuring the compliance of its processors.
Processing of personal data relating to criminal convictions and offences. Transparent information, communication and modalities for the exercise of the rights of the data subject.
Information to be provided where personal data are collected from the data subject. Information to be provided where personal data have not been obtained from the data subject. Notification obligation regarding rectification or erasure of personal data or restriction of processing.
Share this page Twitter Linkedin Facebook. November 23, Share this page Twitter Linkedin Facebook. GDPR - A new dawn for data protection or just a moment in time? Email alerts Join today to receive email alerts when we publish new articles.
0コメント