Skip to 0 minutes and 7 seconds Like a sea captain, a controller controls data processing and determines the purposes and means of that data processing. This implies important duties and obligations to protect data subjects. The GDPR determines a variety of obligations for controllers. They will be introduced only briefly in this video, but you will learn more about them in the following steps for this week. For data controllers one of the most important things to know about GDPR obligations is that controllers need to be able to demonstrate that they have implemented appropriate technical and organisational measures in processing operations. To comply with obligations under the GDPR, controllers have to take into account a number of issues and take appropriate organisational and technical measures in this regard.
Skip to 0 minutes and 53 seconds These issues include the nature, scope, context, and purposes of processing, as well as various risks, including possible impact on rights and freedoms of individuals. But how does one take appropriate measures to comply with GDPR obligations? First of all, to demonstrate legal compliance is in itself a GDPR obligation. Being able to demonstrate that your organisation is taking compliance measures, both technical and organisational, may save you from potential hazards, such as heavy fines or sanctions. Controllers have to implement appropriate technical as well as organisational measures to make sure that processing of data complies with the GDPR. They have to implement these measures to ensure data protection by design and by default.
Skip to 1 minute and 36 seconds For example, right from the design stage, an app designer can take appropriate technical measures to comply with the GDPR and to protect the rights of data subjects. This is data protection by design, built-in technical safeguards. Data protection by default, on the other hand, means that for the app design, only personal data which are necessary for the specific purpose of designing that app are being processed and no more than that. Furthermore, upon request, controllers have to cooperate with supervisory authorities. You can learn more about these supervisory authorities in Week 4. For now, it is sufficient to say that controllers have to take appropriate organisational and technical measures to ensure a level of security appropriate to the risk in processing data.
Skip to 2 minutes and 22 seconds In the event of a data breach, controllers have the obligation to notify the supervisory authority of that breach. In certain cases, controllers have additional obligations under the GDPR. For example, under certain conditions determined by the GDPR, controllers may need to conduct a data protection impact assessment and consult with the supervisory authorities concerned before processing personal data. Controllers might also need to appoint a data protection officer. Many controllers may need to transfer data outside the EU in our increasingly globalised world. In those cases, they will have special obligations to meet under the GDPR. For more information about transfer outside the EU, please follow our related discussion in Week 4.
Skip to 3 minutes and 9 seconds Finally, a very important obligation for a data controller is the duty to assist data subjects with exercising their rights to privacy and data protection under the GDPR. For example, a controller has the duty to provide data subject with sufficient information when collecting personal data. I have spoken briefly about the obligation for controllers under the GDPR. But, of course, there are also joint controllers. As far as joint controllers are concerned, it is important to know that they have the obligation to have a transparent manner to determine their respective responsibilities for compliance and that they bear joint liability under the GDPR in case of a data breach. This will be further discussed in the following steps for this week.
Skip to 3 minutes and 52 seconds This was a brief illustration of the main GDPR obligations for data controllers. You will learn more about these obligations and how to comply with them in the following steps for this week.
An overview of a controller’s obligations
Controllers control data processing and determine the purposes and means. With this comes duties and obligations.
To comply with obligations under the GDPR, Article 24 provides that controllers have to take appropriate organisational and technical measures to protect data subjects and their rights. They need to demonstrate that they have implemented such measures to ensure data protection by design (built in technical safeguards) and by default (processing only personal data which are necessary for a specific purpose).
Controllers’ obligations may include:
• To maintain records of all processing activities (Article 30 GDPR);
• To cooperate and consult with supervisory authorities (Article 31 GDPR);
• To ensure a level of security (Article 32 GDPR);
• To notify the supervisory authorities in the event of a data breach (Article 33 GDPR);
• To conduct a data protection impact assessment (Article 35 GDPR);
• To appoint a data protection officer (Article 37 GDPR);
• Specific obligations as regards transfer of data outside the EU (Chapter V GDPR);
• To assist data subjects with exercising their rights to privacy and data protection (Chapter III GDPR).
© University of Groningen