Posted by media on May 15, 2018 at 9:00 AM
The new European General Data Protection Regulation (GDPR) broadens the obligations of those who are responsible for and in charge of data processing, the rights of the interested parties, and even includes a new figure, the Data Protection Officer. But who are the main organisations and individuals that are affected by the GDPR?
In the following post, we will address who these and the other protagonists are that define this European regulation, learning more about it just 10 days away from the date on which it becomes fully enforceable.
This post is also available in Spanish.
Table of contents
1.- Data Subject
The EU General Data Protection Regulation, approved in 2016 but not enforceable until May 25th, responds to an increase in cyberattacks and a search for collaboration between public and private entities in their quest to find a solution.
In this article, we will therefore try to describe the different roles and responsibilities that this important regulation outlines:
In the official English version of the Regulation, the term “data subject” is used to refer to individuals who are within the European Union whose data is processed.
This encompasses all natural persons, who can be distinguished as persons with rights in regards to the processing of their personal data.
Article 4 of the GDPR defines the person who is in charge of data processing as a natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purpose and means of the processing of personal data.
As the name indicates, they are responsible for the processing of personal data but also for its protection.
The key aspect here is “control”. Even if the data is not in the possession of the organisation, for the purposes of the GDPR, the organisation will be responsible for the data if it has control over the data.
The controller is responsible for determining the purposes for which the personal data is used and what privacy protection should be implemented. They are responsible for collecting personal data and determining the legal basis for doing so. They also determine how long to retain the data for.
The responsibilities of the controllers are established in Article 24 of the Regulation. They include:
The controller can appoint processors for various tasks.
These are natural or legal persons, public authorities or other bodies and organisations that process personal data on behalf of the controller. For example, the controller may have an external IT provider that determines where the data is stored and which technical controls are implemented. That IT company will be the data processor. Or, the controller may pass some personal data to a marketing agency for targeted email campaigns. That agency is a data processor in regards to campaign data.
Other examples of processors would be payroll processing companies, SaaS providers, Cloud service providers, or even companies that provide services related to the secure elimination of personal data.
In summary, any service provider that obtains access to personal data, controlled by the other organisation, is a data processor.
The GDPR has changed these provisions so that both data controllers and data processors are jointly and severally liable for guaranteeing the protection of personal data. Failure to comply with GDPR requirements can result in penalties for both controllers and processors.
As a result, the risks to data processors have increased significantly. The level of responsibility and compliance costs for data processors can also increase if, for example, controllers require the processors to acquire a safety certification or implement additional technical or organisational controls.
It is important that the personal data is always processed in accordance with a written contract, which must indicate:
Processors must also implement the appropriate technical and organisational controls. In addition, they must comply with the multiple requirements provided for in Article 28.
The GDPR dedicates an entire section to this new figure given its relevance, popularly known as DPO.
In organisations, the DPO is a guarantor of compliance with the data protection regulations, without replacing the functions carried out by the supervisory authorities.
This figure is not mandatory for all organisations, only the following will be required to have an officer:
Their functions are regulated in Article 39 of the GDPR, of which the following are the most important:
Supervisory Authority: the independent public authority established by a Member State in accordance with the provisions of Article 51.
Concerned Supervisory Authority: the supervisory authority that is affected by the processing of personal data, because either: a) the controller or processor is established in the territory of the Member State of that supervisory authority; b) the interested parties residing in the Member State of that supervisory authority are substantially affected or are likely to be substantially affected by the processing, or c) a claim has been filed with that supervisory authority.
European Commission for Data Protection: the Commission is composed of a supervisory authority from each Member State (28) and the European Data Protection Supervisor. The role of the Commission will be to review what is working and what is not working, and to also give advice and guidance.
New roles have emerged with the GDPR, such as the figure of the DPO (Data Protection Officer), along with new responsibilities and more rights for users.
Thanks to the creation of this common legal framework, an extra security barrier has been created for the main corporate asset of many companies -personal data-, while also offering the data subjects themselves greater control over this data. So although at the moment it may seem like a challenge for the business sector, overall it is definitely a win-win for everyone.This post is also available in Spanish.
Subscribe to our newsletter
Digitizing your company with Signaturit is very easy. Sign up for our newsletter and receive 1 email a month with tips, events and product updates.