The first step to comply with the GDPR is to define the entity’s status under the GDPR; it either can be a Data Controller or a Data Processor, or in some cases, both. Only with a clear determination of the role, an assertive assessment of the rights and obligations for that particular company can be done. And only then, the legal practitioner will be able to prepare the appropriate legal safeguards and provide with unmistakable guidance to the rest of departments such as; Compliance, IT, Marketing, Sales, HR, others.
Useful? Embed this infographic on your website.
Since the determination of the role of the entity is the cornerstone of the privacy by design of any company, the assessment can only be done by a person or group of individuals with a deep understanding of the business activities and the Law. It should be noted, that taking the risk of a wrong identification can jeopardize the privacy and data protection system in your company, and as in construction field, a defective cornerstone can cause the house to fall down.
Having said that, there are cases where a company when providing its services acts as a data processor (process PD under the instruction and behalf of others) also acts as a data controller (determines the purpose and means of the processing of PD) and there are not as uncommon as we might think they are. A good example is described in the Handbook on European Data Protection Law: “the Everready company specializes in data processing for the administration of human resource data for other companies. In this function, Everready is a processor. Where Everready processes the data of its own employees, however, it is the controller of data –processing operations for the purpose of fulfilling its obligation as an employer.”
In that order of ideas, a company, in most of the cases, is a data processor and data controller; the key point is to distinguish when it acts as a data controller and when as a data processor or sub-processor. It is clear when we see that for personal data “X” the company acts as a data processor and for personal data “Y” the company acts as data controller; but in reality, sometimes the same data has to be used by the same company for fulfiling different roles.
For instance, a service provider of an Investment Fund collects and process the personal data of the Fund’s investors as Data Processor shall also process the same personal data to fulfil its legal obligations for AML and FATCA and CRS, as Data Controller.
Do you have questions whether you are acting as Data Controller or Data Processor or both under some circumstances? Do not hesitate to reach out.
Latest posts by Jessica Lam (see all)
- How to protect your personal data? - March 4, 2019
- Why does your personal data need to be protected? - February 25, 2019
- Enforcement of judgement: Update CJEU Case C 210/16 - September 7, 2018