Protecting data

Who are the Data Controllers and Data Processors in GDPR?

In my last Blog, I talked about the definition of Personal Data and the various data protection actions that Data Controllers and Data Processors made apply to this Personal Data (Anonymize, Pseudonymize and Minimize).

But who are these Data Controllers and Data Processors?

These are the parties that capture, process and store Personal Data belonging to Data Subjects. Under the GDPR Regulation, these parties have obligations to protect the Personal Data of these Data Subjects.

Data Controllers/Data Processors

Data Controllers

This is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law”;

In plain English, this is the party (individual, entity or authority) with which the Data Subject exchanges his or her Personal Data to receive the goods and services.

The GDPR Regulation imposes a range of data protection obligations on the Data Controller, including:

  • Restrict the scope of data that can be collected and the duration of retention of this data
  • Seek and obtain the consent of the Data Subject BEFORE the Personal Data is captured
  • Once received, protect this data
  • Notify data controllers if/when a data breach occurs
  • Appoint a Data Protection Officer or DPO (under certain conditions) – covered in a future blog

Data Processors

Similarly, the Data Processor is “the natural or legal person, public authority, agency or other body which pro-cesses personal data on behalf of the controller.”

This is the party that performs part or all of the processes on behalf of the Data Controller. One of the game changers with GDPR is that Data Processors also have obligations under that regulation and that these obligations also apply even to Data Processors located outside EU jurisdictions, example a US-based cloud provider performing data processes on behalf of an EU-based Data Controller located within the EU:

  • Must implement specific organization and technical data security measures
  • Keep detailed records of their processing activities
  • Appoint a Data Protection Officer or DPO (under certain conditions)
  • Notify data controllers if/when a data breach occurs

In view of these GDPR obligations, Data Controllers must do more diligence to the processes by which they select new Data Processors and re-qualify existing ones.

Data Controllers must also determine whether they fall under the GDPR Regulation and identify their responsibilities and measures they must implement vis-à-vis the Personal Data they process.

Lots more to talk about here, but suffice it to say that organizations that fit the definitions of Data Controllers and Data Processors should assess their GDPR-related Data Protection obligations and implement measures and technology-based solutions to enable and enact their compliance.

I will cover further aspects of the GDPR Regulation in upcoming blogs, namely the rights of Data Subjects.

Bassam Zarkout