Skip to 0 minutes and 7 seconds Let’s now discuss the key data protection roles that are established by the General Data Protection Regulation. These are the main actors in the context of the new data protection regime that you should be aware of. Given that persons and entities involved in the processing of personal data do not have the same degree of legal responsibility, there is significant distinction made between data controllers and data processors. The former, acting as captains on board of ships, have more far-going legal responsibilities than the latter, who operate as seamen on ships. The obligations of controllers and processors will be addressed later in this course.
Skip to 0 minutes and 48 seconds Data controller or simply controller, entails the natural or legal person, public authority, or any other body that alone or together with others determines the purposes and means of the processing of personal data. Basically, controllers decide what happens with personal data and are responsible for the processing. Among this category of actor, one can find numerous natural persons, such as pharmacists, politicians, lawyers, and others who can process information about individuals, as well as legal persons, such as companies, governmental organisations, non-profit organisations, educational institutions, and others. In addition, we also have processors implying the natural or legal persons, public authorities, or other bodies that engage in the processing of personal data on behalf of controllers.
Skip to 1 minute and 43 seconds Naturally, these persons and entities can be the same as controllers, but their tasks and responsibilities are more limited, given that they only process personal data on controllers behalf. They are required, for instance, to maintain a record of all processing activities and ensure the security of processing, but do not have the main responsibility to apply the data protection by design and by default principle or carry out the data protection impact assessment, which needs to be done by the controllers. An important type of actor, from the perspective of the GDPR, are data subjects who are, in essence, identified or identifiable natural persons whose personal data are processed.
Skip to 2 minutes and 27 seconds In short, it means that they are individuals, like you and me, who have certain personal information that is being processed. Importantly, these persons have significant rights under the GDPR regime that will be examined later in this course. The regulation requires controllers and processors to appoint Data Protection Officers or simply DPOs. They are designated on the basis of their professional qualities and more specifically on the basis of their expert knowledge of data protection law and practices and the ability to fulfil the tasks that must be carried out by them. Here you can see the DPO of the University of Groningen. He will tell you more about himself later in the course.
Skip to 3 minutes and 10 seconds DPOs have significant tasks in any organisation and are responsible for informing and advising controllers, processors, and their employees; monitoring compliance with the GDPR, with other EU and national data protection rules, and with the actual policies of controllers and processors with regard to the processing of personal data; and carrying out other important activities. Finally, one should not forget about supervisory authorities and the European Data Protection Board replacing the Article 29 Data Protection Working Party established under the Directive 95/46/EC. The functioning, the tasks, and the responsibilities of these entities will be explained in more detail later in this course.
Skip to 3 minutes and 58 seconds We have just learned quite a lot about the key data protection roles from the perspective of the General Data Protection Regulation and should now be able to find our way in the labyrinth of rules laid down in the regulation that are applicable to them.
Key data protection roles
Getting to know the main actors under the GDPR and their key data protection roles is crucial to understanding this regulation.
You can find the relevant articles of the GDPR concerning each actor by clicking on the links in this table:
|Data controller||Article 4(7) GDPR|
|Data processor||Article 4(8) GDPR|
|Data subject||Article 4(1) GDPR|
|Data Protection Officer (DPO)||Articles 37-39 GDPR|
|Supervisory authorities||Article 4(21) GDPR and Article 51 GDPR|
|European Data Protection Board||Recital 139 GDPR and Article 68 GDPR|
© University of Groningen