What Are Your Obligations?

Data is processed by organizations whether from the position of a data Controller, or data Processor. Hence, the obligations and responsibilities are different depending on this quality.  As all organizations process at least some personal data (e.g. employee personal information), they fall either under the processor, or controller category.

Obligations for Data Processors:

As a data processor, you are able to process data only according to the controller’s requirements, specified in the controller/ processor contract. As a consequence, data processors need to comply with many of the data controllers’ obligations.

The processor is obliged to inform the controller about any new sub-contractors (sub-processors), and to reflect the obligations he has with the controller in his contract to the sub-contractor.

He is obliged to inform the controller if any of the instructions in the contract breach GDPR.

Processors must keep track of all the categories of processing activities.

Data processors are obliged to inform the controllers in the event of a data breach, in the shortest time after becoming aware of it.

Both data processors and controllers are obliged to appoint a Data Protection Officer (DPO) in situations such as when their activities require regular monitoring of data subjects on a large scale, or when they involve large amounts of sensitive data (e.g. criminal offences).

Obligations for Data Controllers:

As a data controller, you can only select data processors which provide proof that they can perform their processing duties in compliance with the GDPR.

Data controllers, as well as processors must implement security measures appropriate to the GDPR, depending on the data.

Data controllers are obliged to inform data subjects in the event of a breach in the case the breach is “likely to affect” them (e.g. name, e-mail address), and to inform both data subjects and the Data Protection Authority (DPA) if the breached data contains also monetizable data (e.g. bank account number) in maximum 72 hours.

• All in all, per article 24 of the GDPR, data controllers are responsible for ensuring that any processing activities performs follow the GDPR.