GDPR regulation stipulates different obligations depending on if you are considered as a processor or a controller.

If you are a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data, then you are a controller. But, if you only process personal data on behalf of the controller- then you are considered as a processor.

As a Controller, you have to :

  • Comply with the “data quality principles”. There are 7 key principles that GDPR sets out:
    • Lawfulness, fairness, and transparency;
    • Purpose limitation;
    • Data minimization;
    • Accuracy;
    • Storage limitation;
    • Integrity and confidentiality (security);
    • Accountability.
  • Appoint a representative: if your company is established outside the European Union, you need to appoint a representative in the Member State.
  • Appoint the processor under a binding written contract. The agreement must ensure that a Processor can only process personal data in accordance with the Controller’s instructions, as well as make sure that those personal data are secured.
  • Notify the relevant Data Protection Authority (“DPA”) about records of personal data, before processing it. Appointing a DPO is mandatory if:
    • The organization is a public body or authority,
    • The organization’s core activities consist of the data processing operations that require regular and systematic monitoring of data subjects on a large scale
    • The organization’s core activities consist of large-scale processing of special categories of data (sensitive data such as personal information on health, religion, race or sexual orientation) and/or personal data relating to criminal convictions and offenses. Also, GDPR permits member states to specify other circumstances in which a DPO must be appointed. In Germany, for example, each organization that has more than 10 employees must appoint a DPO.
  • Implement appropriate technical and organizational security measures to protect personal data.
  • Ensure that data protection principles and appropriate safeguards are addressed or implemented in the planning phase of processing activities and in the implementation phase of any new product or service. For example, you can use pseudonymization or encryption as protection measures in the planning phase and you can ensure that user’s profile is high-protected by default but offering an option to be uncovered according to the owner’s will. This is data protection by design and by default.
  • Keep records of processing activities, and upon request of the Data Protection Officer, you have to disclose it.
  • Report the breach to the DPA within 72 hours after becoming aware of it.
  • Notify affected data subjects of data breaches if a data breach causes a high degree of risk to data subjects
  • as a joint controller (if together with one or more you jointly determine ‘why’ and ‘how’ personal data should be processed), you are equally responsible for compliance with all GDPR obligations.

On the other hand, of obvious importance to organizations are the obligations of a Processor. As a Processor you are obliged to:

  • process data only according to the binding written contract which states that you must:
    • impose confidentiality obligations on all personnel who process the relevant data;
    • ensure the security of the personal data that it processes;
    • abide by the rules regarding the appointment of sub-processors;
    • implement measures to assist the Controller in complying with the rights of data subjects;
    • assist the Controller in obtaining approval from DPA where required;
    • at the Controller’s election either return or destroy the personal data at the end of the relationship; and
    • provide the Controller with all information necessary to demonstrate compliance with the GDPR.
  • Inform the Controller if there are any new sub-contracts and sub-processors. The lead processor is required to reflect the same contractual obligations it has with the controller in a contract with any sub-processors and remains liable to the controller for the actions or inactions of any sub-processor.