GDPR Responsibilities - Data Controller and Data Processor

The GDPR, which comes into force on 25 May 2018, contains a number of directives to try to create safer and more transparent data management across the EU. In short, it's about how organizations and companies should be allowed to collect, store and process data from individuals in a secure way.

Read our in-depth article on the GDPR in Sweden here.

With these new laws also come two new roles: controller and processor. The two people (or organizations) have slightly different tasks on their table, but also some common ones. We will go through both roles and dig deeper into who is actually responsible for what when it comes to secure data management.

We'll start with the controller, or as the role is called in Swedish: personuppgiftsansvarig.

What does the data controller do?

In simple terms, the controller is the legal or natural person who makes the decisions on how data should be handled within the organization or company. The controller has overall responsibility for ensuring that all data processing is secure and follows the guidelines of the GDPR Directive, but the actual handling of the data can be left to the processor (which we will get to below).

DPA tip: Introduce policies with good data protection strategies, establish codes of conduct and certifications for all data handlers.

It is also the controller's responsibility to ensure that the company can demonstrate to the DPA how you collect data from customers. It is possible to have two or more data controllers, but they must decide among themselves who has primary responsibility for what.

To be able to demonstrate how security work is done, the DPArecommends , for example, introducing and following policies with good strategies for data protection, and establishing codes of conduct and certifications for everyone who handles data.

Legal or natural person as controller?

As mentioned, both a natural or legal person can be a controller. A legal person, as you probably know, is a company, business or organization but can have similar rights and obligations as a natural person. For example, a legal person - such as the Swedish state, a municipality, a limited company - can have the right to enter into contracts, employ staff, be sued in court and now also be a controller or processor under the GDPR.

For example, for sole proprietorships, the controller is a natural person, while in larger organizations it is almost always a legal person. One advantage of having your company be the controller is that it is the company, rather than an individual, that is responsible for the company's obligations, such as data management. But this does not mean that the real people in the company are fully protected - a legal person cannot commit a crime, it is the natural person who actually committed the crime who is prosecuted.

In other words, the legal entity can be responsible for ensuring that everyone who handles data within the company does so securely, but if something is done in a criminal way, the legal entity cannot take the fall for the person who is actually guilty. Then companies will also be liable to fines under the GDPR, which will affect the legal entity. One of the most important tasks of the controller: to decide who in the organization can handle the data for them.

Privacy by design is the controller's responsibility

In our previous article on the GDPR, we talked about privacy by design, or data protection by design, which means that IT systems and procedures are designed with data security in mind, for example through encryption. It is the responsibility of the controller to ensure that the organization has taken such technical measures and that they are adequate. Finally, the controller has one more important task: to decide who in the organization is allowed to process the data on their behalf. These people are processors, or data processors.

What does the processor/processor do?

As it is not always the same person(s) making decisions who actually do the job, there is the role of processor, or data processor. This is the person or persons who process data on behalf of the controller, and again this can be both natural and legal persons.

It is the controller who decides who is suitable as a processor, and that decision includes, for example, considering the processor's competence to handle data securely. An example of a processor is, for example, subcontractors who for some reason need access to customers' personal data.

A processor may propose to the controller the appointment of an additional processor, but may not appoint one himself without written permission from the controller.

All processors must have a contract with the controller. What should be included in the agreement is described in detail in the Swedish GDPR, but some examples are that the agreement should ensure that the processors

• Process personal data in the manner agreed with the controller, and inform the controller if they need to deviate from it
• Take all necessary technical and organizational measures to handle the data securely
• Asks for written permission from the controller to involve more processors
• Give the controller access to all information about the organization's data management that may be needed during an inspection
• Know how to delete or hand over customer data if the controller requires it.

Joint responsibilities of the controller and processor

There are some things that both controller and processor need to consider. For example, the controller is responsible for making decisions about how the company will handle data securely, but since it is the processor who actually handles the data, the processor also has a responsibility to make sure that the data handling is actually done in an approved way.

Another common denominator for controller and processor is that both can be checked by the Data Inspectorate. If these inspections show that the company's data management does not comply with the guidelines of the GDPR, both controllers and processors can be liable for damages, regardless of whether they are natural or legal persons. Who is liable for what and how much money is involved differs from case to case, but sometimes the liability can be shared between processor and controller.

Want to find out more about the responsibilities of data controllers and data protection officers? The Integrity Protection Authority has a lot of good information.