In our series of “essential” information regarding the General Data Protection Regulation (GDPR) here is a look at the role of the controller or the data controller under the GDPR.
We already covered many duties of the controller and how controllers need to enable data subject rights. Data controllers and data processors are the two main types of parties which are involved in the processing and, under the GDPR, duties regarding the protection of personal data so it’s clear that they are all over the GDPR place.
In practice and as mentioned in our overview of the role of the data processor, data controllers and processors work hand in hand. The official definition of a controller under the GDPR as defined in Article 4 of the GDPR text goes as follows: controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;.
The controller is simply the organization or person who disposes of personal data for myriad possible reasons: for marketing, for human resources, for scientific research, for customer service, well, pretty much for everything you can imagine. But simple in the scope of GDPR responsibilities is a different matter. A look at the data controller.
The place of the data controller
In a sense a controller is a processor because simply using personal data or storing them which all organizations do, even if only temporary, already fall under the extremely broad definition of processing personal data (and the fact a controller ‘has’ them means he acquired them one way or the other, depending on the purpose and context, with acquiring also being processing).
Still, with processors, as we saw, the GDPR means organizations or individuals who are tasked with one or more processing activities within a contractual agreement. So the relationship between controller and processor is simply one of conducting business whereby you can’t do everything yourself and, as a controller, de facto use many processors to get things done and be able to do what you need to do.
In the grand scheme of GDPR things you could say there is some kind of a hierarchy. At the very top you have all those EU organizations and instances with a prominent role for the European Data Protection Board, next come the national supervisory authorities or national Data Protection Authorities (DPAs), next you have all the data processors a controller works with and a range of potential sub-processors with specific rules regarding when a processor can appoint those or not. When a data processor wants to work with sub-processors this can only be done when the data controller knows and agrees. There are very strict rules in this regard and the data controller has the lead.
Obviously, depending on the scope, processors work with several controllers, controllers also do business with controllers and controllers also process personal data (and can be controller and processor at the same time too). In that hierarchical view we’d have to put the data subject, people, at the bottom but that would be a bit weird as the GDPR is about the protection of rights and freedoms of data subjects. But you get the picture (and we made one to make it more tangible below).
It’s pretty obvious that the controller is mentioned across loads of GDPR Articles and Recitals, just like the data subject or natural person who is identified or identifiable via his/her personal data. In the end the GDPR is mainly about the relationships between both on the personal data level front and all other actors, from processors to supervisory authorities and people like the DPO (Data Protection Officer), have their place, role and duties in the big legal framework that regulates these relationships, which the GDPR really is.
Responsibilities of the controller under the GDPR
Precisely because controllers (and in a lesser degree processors) are mentioned so often across the GDPR text it isn’t always easy to know what duties they have.
That’s where an overview with the main roles, duties and rights (they do have rights too indeed) of data controllers comes in handy. Of course we can’t cover everything concerning the data controller (well, we could but that would become really long), so here is a summary of some of the main things to know about the controller of the GDPR.
The data controller’s role in being compliant and demonstrating compliance
The first thing a controller needs to do is becoming GDPR compliant. That’s easier said than done but that’s what it is. In order to become GDPR compliant the first step is GDPR awareness: what the heck is the GDPR, what does it mean for a controller and how do you get started?
We’ve tackled a lot of these topics previously in articles on the DPO (Data Protection Officer), data subject rights, our main GDPR page and so forth. Yet, let’s follow the law and summarize.
The controller first of all is responsible for all the principles regarding the processing of personal data as they are mentioned in GDPR Article 5. He must be compliant with these principles to start with. Just being compliant is not enough though, the controller also must be able to demonstrate GDPR compliance. There are many ways to do so and there are even explicit ways to demonstrate compliance that are less known but clearly recognized as such by the GDPR. Two ways to demonstrate GDPR compliance that are perhaps less known and which we tackled before are adhering to a code of conduct and asking a so-called DPIA (Data Protection Impact Assessment) for specific data processing activities (mainly when new technologies such as IoT are about to be used).
Not all data processing activities are the same. A controller must look at all data processing activities and see if they respond to the principles of personal data processing and whether the purpose and nature of the personal data and processing activity doesn’t need more attention than others because the GDPR sees higher risks when they are planned.
The duty of accountability of the data controller
Anyway, back to those principles of personal data processing before going any further. Personal data needs to be processed according to these principles, which apply to processors as well, and don’t take into account special categories of data.
They are sometimes called the principles of lawful processing, although lawful, fair and transparent processing is just one of those principles (and shouldn’t be confused with the legal grounds for the lawfulness of processing personal data).
When summarizing the principles of personal data processing people often talk about the eight (personal) data protection principles. Others speak about six principles because that’s the number that is mentioned in paragraph 1 of GDPR Article 5, each with a summarizing name of the principle. The reason why you’ll often see 8 principles by the way is related with the UK’s Data Protection Act 1998. As a matter of fact all these 8 principles can be found back in the GDPR’s 6 principles in Article 5 AND in other GDPR Articles.
Do note that what’s different with the GDPR is that CONTROLLERS need to demonstrate or show that they are compliant and how as previously mentioned. That’s the second paragraph of Article 5 and in fact could be called a seventh principle as accountability, how it’s called, comes back each time across the GDPR text. If you start really digging deeper you could go further and come up with a list of more principles as well but let’s keep it simple. Below is an overview of those six principles and how accountability and compliance apply to all from the perspective of the accountability duty of the controller.
Responsibilities for controllers: appropriate measures for compliance and data protection by design and default
As you may have noticed in the graphic we added an extract of GDPR Article 24 that covers the essential responsibility of the controller. That Article 24 states the following regarding these responsibilities for controllers:
- The controller must implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR (again emphasizing the fact controllers must demonstrate compliance and of course did all they had to in order to be GDPR compliant).
- Among the measures that the data controller must take is the implementation of the proper data protection policies.
- And, in order to demonstrate compliance, controllers can use specific elements that help in doing so, such as the previously mentioned approved codes of conduct but also certification mechanisms or pseudonymization techniques.
Another duty of the controller is to make sure that the GDPR’s Data Protection by Design and by Default principles are enabled. This again means taking the mentioned proper technical and/or organizational measures but here the GDPR goes a bit further (Article 25) by:
- Recommending the use of pseudonymisation,
- Pointing to measures designed to implement the previously mentioned data protection principles,
- Emphasizing measures with regards to the fact that only personal data which are needed for each single processing purpose are indeed processed with additional details.
More data controller responsibilities: from record keeping and enabling data subject rights to specific obligations
Controllers must also keep records of their processing activities (GDPR Article 30) and when doing so and when preparing new processing activities must consider the appropriate legal grounds for lawful processing as mentioned earlier.
Of course data controllers also need to
- Work with supervisory authorities,
- Check if they need to appoint a DPO and empower the DPO,
- Fulfil their personal data breach notification duties in case there is such a personal data breach (we’ve covered the role of processors and of controllers earlier in an article on personal data breach notification and communication duties),
- Make sure that in case of doubt they resort to the proper methods to check whether an intended new data processing activity is likely to result in high risks or not (where the earlier mentioned DPIA but also the mechanism of prior consultation comes in),
- Chose the proper processors with a clear duty to only work with processors who have the right safeguards in place,
- Take into account special data categories and the special rules regarding the personal data of children, including the need to see if explicit consent is needed when consent is the legal basis for lawful processing,
- Deliver upon their important duty of information, also when the personal data have not been obtained from the data subject (GDPR Article 14),
- Facilitate the exercise of data subject rights (GDPR Article 12),
- Be liable for damage caused by processing which infringes the GDPR and leads to GDPR fines or more (GDPR Article 82),
- Etc.
A great overview of the general and specific responsibilities of the data controller or simply controller can be found in yet another good infographic on the matter from Law Infographic which you can check out below and nicely summarizes the main duties and responsibilities of the data controller (called DC in the infographic).
Next in regulations and compliance: EU DORA Digital Operational Resilience Act
Top image: Shutterstock – Copyright: Gorodenkoff – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for EU GDPR compliance.