sub processor data protection

GDPR | Seers Article

The General Data Protection Regulation (GDPR) is applicable on various organizations since on May 25th, 2018. Now being GDPR-compliant is the primary goal of every single organization. While complying with GDPR the most common terms to acknowledge are “data controller” and “data processor”.

Because, they have certain responsibilities under GDPR. However, the Data Protection Act 1998 (the DPA) which provide particular rights to individuals regarding their personal information, distinguishes between the Data controller and Data Processor more explicitly.

According to it, it is unlikely that every organisation, processing personal data have the same responsibility. But the data controller must curb the processing and also carry data protection responsibility. This distinction is one of the features of Directive 94/46/EC, on which the UK’s DPA is based.

However, section 1 differentiates between the data controller vs data processor gdpr by stating, data controllers are the ones accountable for the purpose and manner of processing personal data.Data Subject Access Requests (DSAR) is one of the data subject rights conferred under the General Data Protection Regulation (GDPR). It forms part of a group of data subject rights

On the contrary, the data processor is a substitute for a data controller, which processes personal data on behalf of a data processor. Accumulating, recording, handling information, carrying out any operation or set of operations on the data is known as processing.

The proposition mentioned above is the elaboration of ‘processing’ which suggests about data processor’s activities, that it must be limited to the more ‘technical’ aspects of an operation namely data storage, retrieval or erasure.

The data controller is entrusted with the liability to carry out these activities which are the interpretation, the exercise of professional judgment or significant decision-making pertaining to personal data.

By following the law of processing, an organisation must legitimately process personal data and retain data controller responsibility to process it.

That particular organisation mustn’t back off from its liability and hand over it to another data controller or data processor.

data processor

The following checklists set out indicators as to whether you are a controller, a processor or a joint controller. The more boxes you tick, the more likely you are to fall within the relevant category.

The importance of distinguishing among data controllers and data processors

As a matter of fact, the differentiation of data controller and data processor can lead to some significant real-world consequences. In case of a data breach, it is imperative for organisations to involve ICO.

The ICO will identify the lackings and who stands accountable behind such an act. Many organisations process personal data. So, they must establish their roles and responsibilities prior to commencing the processing.

All these strides are compulsory to abolish the gap. Consequently, these gaps will let subject requests go unanswered.

Identify that either an organisation is a data controller or data processor.

The data controller finds out the purposes and manner in which personal data process. It can happen by on its own, jointly or in common with the rest of the organisations. This reflects that the, it curbs why and how data processing activity is being conducted.

The above statement intensifies the flexibility of a data controller. As in, it can permit one data controller primarily to control the processing purpose with another data controller. It also works paradoxically, means working mainly to direct the processing and letting another data controller to take part in purpose.

Difference between a data controller vs data processor: 

The data controller decided the purpose and system tools of processing personal data, in contrast to the data processor, who puts the decided plan, tools and purpose in motion. The processor’s process data on behalf of the controller. There may be more than one controller, but usually, there is just one. Whilst, there may be more than one processors in an organisation usually everywhere. The controller regulates the activities and plans. Whereas the processor actions on the given plan.

Thus, the data controller has overlooking control over the ‘why’ and the ‘how’ of a data processing activity. Whereas the processor is one of its tool operators.

The processor does not hold any control over the processing procedure and decisions in an individual capacity. The responsibility lies with the controller of the data to comply with relevant laws and perform all activity safely.

Some organisations both process and control data, such as Facebook and Google. This means that they have to ensure safety and compliance in both of the departments, and thus they may have special teams of processors and controllers for each

Compliance with the data protection principles and rules for data controllers

If one data controller transfers the personal data to another data controller, both have equal answerability for data.

Furthermore, if the sharing is systemic, large-scale or particularly risky, in this case, both data controllers ought to sign a data-sharing agreement. The agreement covers aspects such as how the data can be used and can it be further disclosed.

Enforcement issues

The agreement will manifest the duties of all the data controllers explicitly. Each controller will deal with a specific aspect of compliance.

In the case of jeopardy, ICO will probe and take action against the data controller, who will stand accused and flunked in data protection obligations. Below are the consequences in which a data controller may be caught for failing the obligations.

  1. Unreasonable allocation of responsibility
  2. One of the data controllers caught for non-compliance
  3. When one data controller receives the subject access request but failed to transfer it to the controller responsible for handling requests.

Regulations amid data controllers and data processors

There should be a written contract, in which controller issues contractual instructions to the processor regarding dos and don’ts.

Transfers of personal data to data processors overseas

The DPA puts restrictions for transferring the personal data outskirts the European Economic Area. To put it differently, a data controller must ensure the transfer of the personal data overseas is adequately protected.

Data processors who take on data controller responsibilities

If a data processor served directly with a warrant which requires it to provide particular personal data to a law implementation agency, then it will take on its own data controller duty.

By acting as a data controller, it will decide how to comply with the request, which data to provide or withhold and what format to supply it in.

Data processors who are also data controllers

Usually, the data processor has its own data controller culpabilities regarding personal data which which does not process on behalf of its data controller client.

The wind-up line

As an organisation will become GDPR compliant, so the roles and responsibility of data controller and data processor will multiply. A key to compliance is to recognise the difference amid these two and how a company plays its role. For easy and fast compliance, Seers presents you a “Free GDPR Audit’, which will benefit you by diminishing compliance issues and protects your data from cybercriminals.

Tags: , , , , , , , , , , , , , , ,