What are the key differences between data controllers and data processors under GDPR?

· Data controllers

Under the General Data Protection Regulation (GDPR), a data controller is defined as the entity that determines the purposes and means of processing personal data. This entity can be either a natural or legal person, public authority, agency, or other body. Here are the key responsibilities and roles of a data controller under GDPR:

1. Determining Data Processing Purposes and Means: The data controller decides why and how personal data is processed. This includes setting the objectives for data processing activities and choosing the methods to achieve these objectives.

2. Compliance with Data Protection Principles: Data controllers must ensure that personal data is processed lawfully, fairly, and transparently. They must adhere to principles such as data minimization, accuracy, storage limitation, integrity, and confidentiality.

3. Establishing Legal Basis for Processing: Data controllers must identify and document the legal basis for processing personal data, which could include consent, performance of a contract, compliance with a legal obligation, protection of vital interests, public interest, or legitimate interests.

4. Ensuring Data Subject Rights: Data controllers are responsible for facilitating and upholding the rights of data subjects, including the right to access, rectification, erasure, restriction of processing, data portability, and objection.

5. Data Protection Impact Assessments (DPIAs): When processing activities are likely to result in a high risk to the rights and freedoms of individuals, data controllers must conduct DPIAs to assess and mitigate these risks.

6. Engaging Data Processors: Data controllers may engage data processors to process data on their behalf. They must ensure that processors provide sufficient guarantees to implement appropriate technical and organizational measures to comply with GDPR and protect data subjects' rights.

7. Data Processing Agreements: When engaging data processors, data controllers must enter into formal agreements that outline the processors' responsibilities and obligations, ensuring compliance with GDPR requirements.

8. Data Breach Notification: In the event of a personal data breach, data controllers are required to notify the relevant supervisory authority without undue delay, and if the breach poses a high risk to data subjects, they must also inform the affected individuals.

9. Appointing Data Protection Officers (DPOs): In certain circumstances, data controllers must appoint a DPO to oversee data protection activities, ensure compliance with GDPR, and act as a point of contact for data subjects and supervisory authorities.

10. Demonstrating Accountability: Data controllers must be able to demonstrate compliance with GDPR by maintaining records of processing activities, implementing appropriate security measures, and conducting regular audits and reviews of their data processing practices.

By fulfilling these responsibilities, data controllers play a critical role in ensuring the protection of personal data and upholding individuals' privacy rights under GDPR.

· Data processors

Under the General Data Protection Regulation (GDPR), a data processor is defined as an entity that processes personal data on behalf of the data controller. The data processor does not determine the purposes or means of processing; instead, it carries out the processing activities as directed by the data controller. Here are the key responsibilities and roles of a data processor under GDPR:

1. Processing Data on Behalf of the Controller: The primary role of a data processor is to process personal data in accordance with the instructions provided by the data controller. The processor must not process the data for its own purposes.

2. Compliance with Data Processing Agreements: Data processors must adhere to the terms of the data processing agreement (DPA) with the data controller. This agreement outlines the scope, nature, purpose, and duration of processing, as well as the types of personal data and categories of data subjects involved.

3. Implementing Appropriate Security Measures: Data processors are required to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, protecting personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

4. Assisting the Controller with Data Subject Requests: Data processors must assist the data controller in fulfilling data subject requests related to their rights under GDPR, such as access, rectification, erasure, restriction of processing, data portability, and objection.

5. Sub-Processing Requirements: If a data processor engages another processor (sub-processor) to carry out specific processing activities, it must obtain prior written consent from the data controller and ensure that the sub-processor is bound by the same data protection obligations as those in the original DPA.

6. Data Breach Notification: Data processors are required to notify the data controller without undue delay after becoming aware of a personal data breach. The controller is then responsible for notifying the relevant supervisory authority and, if necessary, the affected data subjects.

7. Record-Keeping: Data processors must maintain records of all categories of processing activities carried out on behalf of each data controller. These records should include the details of the controller, processing purposes, data categories, recipients, and any transfers to third countries or international organizations.

8. Cooperation with Supervisory Authorities: Data processors are obligated to cooperate with supervisory authorities in the performance of their tasks. This includes providing any information and access necessary for the supervisory authority to carry out its duties.

9. Ensuring Data Protection Impact Assessments (DPIAs): When the processing involves a high risk to the rights and freedoms of data subjects, the data processor may need to assist the data controller in conducting a DPIA and implementing measures to mitigate the identified risks.

10. Data Protection Officer (DPO): In certain circumstances, data processors may be required to appoint a Data Protection Officer (DPO) to oversee data protection activities, ensure compliance with GDPR, and act as a point of contact for data subjects and supervisory authorities.

By fulfilling these responsibilities, data processors ensure that personal data is processed securely and in compliance with GDPR requirements, thereby supporting the data controller in protecting individuals' privacy rights.

· The relationship between data controllers and data processors under GDPR.

Under the General Data Protection Regulation (GDPR), the relationship between data controllers and data processors is defined by specific roles, responsibilities, and obligations. This relationship is crucial for ensuring that personal data is processed in compliance with GDPR requirements. Here are the key aspects of this relationship:

1. Determination of Roles:

a. Data Controller: Determines the purposes and means of processing personal data.

b. Data Processor: Processes personal data on behalf of the data controller, following the controller's instructions.

2. Data Processing Agreement (DPA):

A legally binding contract that must be in place between the data controller and the data processor.

The DPA outlines the scope, nature, purpose, duration of processing, types of personal data, and categories of data subjects.

Specifies the obligations and rights of both parties, including compliance with GDPR requirements.

3. Responsibilities and Obligations:

Data Controller:

Ensures that the data processor implements appropriate technical and organizational measures to protect personal data.

Conducts due diligence to ensure the processor’s capability to comply with GDPR.

Provides documented instructions to the processor regarding the processing activities.

Facilitates data subject rights and addresses any data protection concerns.

4. Data Processor:

Processes data only on documented instructions from the data controller.

Implements appropriate security measures to protect personal data.

Assists the controller in fulfilling data subject requests and complying with GDPR.

Notifies the controller without undue delay in the event of a personal data breach.

Ensures that any sub-processors engaged provide the same level of data protection.

5. Sub-Processing:

Data processors can engage sub-processors only with the prior written consent of the data controller.

The processor must ensure that sub-processors are bound by the same data protection obligations as outlined in the DPA.

6. Accountability and Documentation:

Both data controllers and data processors must maintain records of processing activities.

The data controller must demonstrate compliance with GDPR by documenting the decision-making process and ensuring the processor’s compliance.

The data processor must keep records of all processing activities carried out on behalf of the controller.

7. Data Protection Impact Assessments (DPIAs):

When processing activities are likely to result in high risk to individuals' rights and freedoms, the data controller is responsible for conducting DPIAs.

Data processors may need to assist controllers in performing DPIAs.

Liability (Data controllers and data processors can both be held liable for non-compliance with GDPR)

ü Controllers are generally responsible for ensuring that processors comply with GDPR.

ü Processors can be held directly liable for breaches of their specific obligations under GDPR.

v Cooperation with Supervisory Authorities:

Both data controllers and data processors must cooperate with supervisory authorities in the performance of their tasks.

They must provide information and access as required by the supervisory authority.

The relationship between data controllers and data processors is foundational to GDPR compliance. Controllers oversee and direct the processing activities, while processors execute these activities within the framework established by the controller and GDPR. Effective collaboration and clear agreements are essential to protect personal data and uphold data subjects' rights.

v The accountability:

Under the General Data Protection Regulation (GDPR), both data controllers and data processors have specific accountability requirements to ensure compliance with data protection principles. Accountability is a core principle of the GDPR, which mandates that organizations must not only comply with the regulation but also demonstrate their compliance. Here’s how accountability applies to both data controllers and data processors:

§ Data Controllers:

Data controllers bear the primary responsibility for ensuring and demonstrating compliance with GDPR. Their accountability obligations include:

1. Data Protection Principles: Ensuring compliance with the core principles of data protection, such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.

2. Documentation and Records: Maintaining detailed records of all data processing activities. This includes:

a. The purposes of processing.

b. Categories of data subjects and personal data.

c. Recipients of personal data.

d. Transfers of data to third countries or international organizations.

e. Retention periods.

f. Descriptions of security measures.

3. Data Protection Impact Assessments (DPIAs): Conducting DPIAs for processing activities that are likely to result in a high risk to the rights and freedoms of individuals. This involves assessing risks and implementing measures to mitigate them.

4. Legal Basis for Processing: Ensuring that all processing activities have a valid legal basis under GDPR, such as consent, performance of a contract, compliance with a legal obligation, protection of vital interests, public interest, or legitimate interests.

5. Data Subject Rights: Facilitating and upholding the rights of data subjects, including the right to access, rectification, erasure, restriction of processing, data portability, and objection.

6. Data Protection by Design and by Default: Implementing appropriate technical and organizational measures to ensure data protection principles are integrated into processing activities from the outset and by default.

7. Data Breach Notification: Notifying the relevant supervisory authority of a personal data breach without undue delay, and if the breach is likely to result in a high risk to individuals, informing the affected data subjects.

8. Appointing a Data Protection Officer (DPO): If required, appointing a DPO to oversee data protection activities, ensure compliance, and act as a contact point for data subjects and supervisory authorities.

9. Contracts with Data Processors: Ensuring that contracts with data processors include specific GDPR-mandated clauses that outline the processor’s obligations and responsibilities.

§ Data Processors

Data processors also have specific accountability obligations under GDPR, even though they act on behalf of data controllers. Their responsibilities include:

1. Following Controller’s Instructions: Processing personal data only on documented instructions from the data controller.

2. Implementing Security Measures: Implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

3. Assisting Controllers: Assisting data controllers in fulfilling their obligations under GDPR, including responding to data subject requests and conducting DPIAs.

4. Data Breach Notification: Informing the data controller without undue delay after becoming aware of a personal data breach.

5. Sub-Processing: Engaging sub-processors only with the prior written consent of the data controller and ensuring that sub-processors are bound by the same data protection obligations.

6. Record-Keeping: Maintaining records of all categories of processing activities carried out on behalf of each data controller. This includes:

a. The name and contact details of each controller.

b. The categories of processing carried out.

c. Transfers of data to third countries or international organizations.

d. Descriptions of security measures.

7. Cooperation with Supervisory Authorities: Cooperating with supervisory authorities in the performance of their tasks, providing information and access as required.

§ Joint Accountability

In situations where multiple entities act as joint controllers, they must transparently determine their respective responsibilities for compliance with GDPR obligations, particularly regarding the exercising of data subjects' rights and the duties to provide information. This arrangement must be documented in a joint controller agreement, and the essence of the arrangement must be made available to data subjects.

Conclusion

Both data controllers and data processors have significant accountability obligations under GDPR. Data controllers are primarily responsible for ensuring compliance, while data processors must support controllers and adhere to specific regulatory requirements. Both parties must maintain detailed records, implement robust security measures, and ensure transparency and cooperation with supervisory authorities to demonstrate compliance with GDPR.

The liability (Both data controllers and data processors can be held liable under GDPR)

Yes, under the GDPR, both data controllers and data processors can be held liable for any damages caused by data processing activities that infringe the regulation. Here’s how liability is structured for both parties:

v Liability of Data Controllers

Data controllers are primarily responsible for ensuring that personal data is processed in compliance with GDPR. They can be held liable for:

1. Non-Compliance with GDPR Principles: If the data controller fails to comply with the GDPR principles such as lawfulness, fairness, transparency, data minimization, accuracy, and purpose limitation, they can be held liable.

2. Violation of Data Subject Rights: If a data controller fails to uphold the rights of data subjects, such as the right to access, rectification, erasure, restriction of processing, data portability, and objection, they can be held liable.

3. Data Breaches: If a data breach occurs due to the data controller’s failure to implement appropriate security measures, they can be held liable for any resulting damages.

4. Lack of Proper Contracts: If the data controller does not have proper data processing agreements in place with processors, they can be held liable for non-compliance.

§ Liability of Data Processors

Data processors are also held accountable under GDPR, though their responsibilities differ from those of data controllers. Processors can be held liable for:

1. Processing Without Instructions: If a data processor processes personal data beyond the scope of the controller’s instructions, they can be held liable for any resulting damages.

2. Failure to Implement Security Measures: If the data processor fails to implement appropriate technical and organizational measures to secure personal data, they can be held liable for data breaches and any resulting damages.

3. Sub-Processor Liability: If a sub-processor is engaged without the controller’s authorization or fails to comply with GDPR obligations, the primary processor can be held liable.

4. Failure to Assist Controller: If the processor fails to assist the controller in complying with GDPR obligations, such as conducting DPIAs or responding to data subject requests, they can be held liable.

§ Joint and Several Liability

Under GDPR, both data controllers and data processors can be jointly and severally liable for any damages caused by non-compliance:

1. Joint Liability: If both the controller and the processor are involved in the same processing activity and it results in damage, they can both be held jointly liable. This means that the data subject can seek compensation from either party.

2. Several Liability: If either the controller or the processor is solely responsible for the infringement, they can be held solely liable for the damages caused.

§ Right to Compensation

Data subjects have the right to seek compensation for any material or non-material damages resulting from a GDPR infringement. They can claim compensation directly from the data controller and/or processor responsible for the damage.

§ Recourse and Indemnification

1. Recourse: If a data controller or processor is held liable for the entire damage, they have the right to claim back the portion of the compensation corresponding to the other party’s responsibility for the damage.

2. Indemnification: Contracts between data controllers and processors often include indemnification clauses, specifying how liabilities will be shared or reclaimed in case of non-compliance.

Conclusion

Both data controllers and data processors have significant responsibilities and can be held liable for any damages resulting from non-compliance with GDPR. Their liability can be joint and several, meaning both parties can be pursued for the full amount of compensation. Ensuring compliance with GDPR is crucial for both controllers and processors to mitigate the risk of liability and protect the rights of data subjects.

The fines (Both data controllers and data processors can face administrative fines for non-compliance with GDPR)

Yes, both data controllers and data processors can face administrative fines for non-compliance with the General Data Protection Regulation (GDPR). The GDPR establishes a tiered approach to fines, depending on the nature, severity, and duration of the infringement. Here’s how these fines are structured and applied:

§ Tiered Fines Structure

The GDPR outlines two tiers of fines based on the type of violation:

1. Lower Tier Fines:

Fines can be up to €10 million or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

These fines apply to infringements of provisions such as:

a. Failing to implement appropriate technical and organizational measures (Article 32).

b. Not conducting Data Protection Impact Assessments (DPIAs) when required (Article 35).

c. Not appointing a Data Protection Officer (DPO) if mandated (Article 37).

d. Failing to keep records of processing activities (Article 30).

2. Higher Tier Fines:

Fines can be up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

These fines apply to more severe infringements, such as:

a. Violating the basic principles of processing, including conditions for consent (Articles 5, 6, 7, and 9).

b. Infringing data subjects' rights (Articles 12 to 22).

c. Unauthorized international transfers of personal data (Articles 44 to 49).

d. Failing to comply with an order by a supervisory authority (Article 58).

§ Criteria for Determining Fines

When determining the amount of the fine, supervisory authorities consider several factors, including:

1. Nature, Gravity, and Duration of the Infringement: The more severe and prolonged the infringement, the higher the fine.

2. Intentional or Negligent Character of the Infringement: Whether the infringement was deliberate or due to negligence.

3. Any Action Taken to Mitigate the Damage: Efforts made by the organization to reduce harm to data subjects.

4. Degree of Responsibility: Considering the technical and organizational measures implemented by the controller or processor.

5. Previous Infringements: Past compliance history and any prior breaches.

6. Cooperation with Supervisory Authority: The level of cooperation with the supervisory authority to remedy the infringement and mitigate adverse effects.

7. Categories of Personal Data Affected: Sensitivity and volume of the data involved.

8. Manner in Which the Infringement Became Known: Whether the organization self-reported the infringement.

9. Compliance with Approved Codes of Conduct and Certification Mechanisms: Adherence to industry standards and codes of conduct.

§ Joint and Several Liability

In cases where both the data controller and data processor are involved in the same processing activity, they can be jointly liable for the infringement. This means that supervisory authorities can impose fines on both parties, depending on their respective roles and responsibilities.

§ Other Penalties and Sanctions

In addition to administrative fines, supervisory authorities have the power to impose other corrective measures, including:

1. Warnings and Reprimands: Issued for non-compliance to encourage corrective actions.

2. Orders to Comply: Requiring specific measures to bring processing activities into compliance with GDPR.

3. Data Processing Bans: Temporarily or permanently restricting certain data processing activities.

4. Suspension of Data Transfers: Halting data transfers to third countries or international organizations.

Conclusion

Both data controllers and data processors must ensure compliance with GDPR to avoid administrative fines and other penalties. The fines can be substantial and are designed to be dissuasive and proportionate to the infringement. By adhering to GDPR requirements, implementing robust data protection measures, and cooperating with supervisory authorities, organizations can mitigate the risk of non-compliance and protect the rights of data subjects.

Warm Regards🙏,

👨🏻💻🛡️⚖️🎖️ Anil Patil, Founder & Data Protection Officer (DPO), of Abway Infosec Pvt Ltd.

Who Im I: Anil Patil, OneTrust FELLOW SPOTLIGHT

💼anilpatil@abway.co.in

🌐www.abway.co.in

📝The Author of:

➡️A Privacy Newsletter Article -Privacy Essential Insights &

➡️A Security Architect Newsletter Article The CyberSentinel Gladiator

🤝Connect with me! 👉 anil_patil

🔔 FOLLOW Twitter: @privacywithanil Instagram: privacywithanil

Telegram: @privacywithanilpatil

Found this article interesting? 🔔Follow us on Twitter and YouTube to read more exclusive content we post.