Duties and Obligations of a Data Controller under EU GDPR
The European Union General Data Protection Regulation replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and safeguard the data privacy of all EU citizens.
The EU #GDPR will become fully enforceable on May 25, 2018 (enforcement date). Extra territorial applicability is one of the key features of this regulation as it applies to all companies processing data of data subjects residing in the European Union, regardless of company's location.
So if you are an internet company based out of India or anywhere in the world without a presence in European Union, still the probability of you coming under the ambit of the Act is very high. The entities in non-compliance with the regulation after the enforcement date may face hefty fines.
The present post is the first among the series of posts I will be writing in the coming days on GDPR. In these series of posts I will list the rights, obligations and duties of various stakeholders under the regulation. The present post is on the Duties and Obligations of a Data Controller.
The Controller is defined under Article 4 (7) of the regulation:
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
The controller must ensure compliance with the regulation. Mere compliance is not enough, the Controller must also be able to demonstrate GDPR compliance. (Art.5)
Chapter 4 (Art.24 to Art.43) of the regulation enlists the duties of the Controller and Processsor.
Responsibilities of a Controller under Art.24:
- The controller must implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR.
- Among the measures the data controller must have proper code of conduct, data protection policies as provided under Article. 40 of the regulation.
- The Controller shall have appropriate certification mechanism in place. The certification shall be voluntary and available via a process that is transparent.
Data Protection by Design (Article 25):
The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself shall implement:
- Recommending the use of pseudonymisation,
- Pointing to measures designed to implement the data protection principles mentioned under Art. 24,
- Emphasizing measures with regards to the fact that only personal data which are needed for each single processing purpose are indeed processed with additional details.
Maintain record of processing activities (Article 30):
Each Controller and, where applicable, the Controller’s representative, shall maintain a record of processing activities under its responsibility. Such records shall be in writing, including in electronic form.
The record obligations shall not apply to an enterprise or an organisation employing fewer than 250 persons (See. Article. 30 (5) )
Cooperation with the Supervisory Authority (Article 31):
The Controller must cooperate with the Supervisory Authority with the performance of its tasks. The tasks of supervisory authorities are enlisted in Article 57.
For a Controller established outside the EU:
A Controller shall designate in writing a representative in the EU to be addressed in all the issues related to the processing for compliance purposes with the GDPR.
For Joint Controllers:
Unless determined by Union or Member State law, the joint controllers shall in a transparent manner determine their respective responsibilities by means of an arrangement, the essence of it shall be available to the data subjects. Also, they shall designate a point of contact for the data subjects.
Notification of a personal data breach (Article 33, 34):
In the event of a data breach, the controller must report the breach to the supervisory authority within 72 hours. Where such report is filed after 72 hours, it shall be accompanied by reasons for the delay. (Art. 33)
In the event of a data breach causing high risk to data subjects, the controller must notify the affected data subjects without undue delay. Such communication with the data subject shall be plain language.
The notifications under Art. 33 and 34 must include at least: i) the name and contact details of the Data Protection Officer (or other relevant point of contact); ii) the likely consequences of the data breach; and iii) any measures taken by the controller to remedy or mitigate the breach.
However, the Controller may be exempt from notifying the data subject if the risk of harm is remote because the affected data are protected (e.g., such as by strong encryption); the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects anticipated by the breach is no longer likely to materialise; or the notification requires disproportionate effort (in which case the controller must issue a public notice of the breach).
Data Protection Impact Assessment (DPIA):
Where the processing is likely to result in high risk to the rights and freedoms of natural person, prior to such processing and in consultation with the Data Protection Officer, the Controller must carry out a DPIA in compliance with approved codes of conduct. The Controller is exempted from DPIA if the processing falls under the activities exempted by Art. 35(5) and (10) GDPR,
Prior Consultation (Art.36):
As per the results of DPIA, if the processing would result in a high risk in the absence of measures taken by the controller to mitigate such risks, the Controller shall consult the Supervisory Authority prior to processing of the data.
Designation and Position of a Data Protection Officer (DPO) (Art.37):
The Controller must appoint a DPO and involve him/her properly and in a timely manner in all issues related to processing personal data when it processes personal data on a large scale that require regular and systematic monitoring of data subjects or is a special category of data or data related to criminal convictions or offences. Also, this duty applies to public authorities or bodies- except for courts acting in their judicial capacity.
The Data Protection Officer may be a staff member of the controller, or fulfill the tasks on the basis of a service contract. The controller shall publish the contact details of the data protection officer and communicate them to the supervisory authority.
Further reading:
Chapter 10: Obligations of controllers – Unlocking the EU General Data Protection Regulation
Who is the Data Controller and what are its responsibilities under the GDPR?
