The responsibilities of each company or person in the processing of personal data depend on whether they are the controller, the joint controller or the processor. Therefore, it is very important to carefully evaluate your or your company’s role and responsibilities with regard to personal data processing activities in order to understand:
- responsibilities defined by General Data Protection Regulation (GDPR) and how to perform them;
- responsibilities towards individuals and supervisory authorities;
- possible fines related to non-compliance with GDPR;
- how to cooperate with other organizations in order to ensure a responsible processing of personal data and respect of the rights of individuals;
- what type of contract to conclude with another organisation or individual.
It is important to remember that an organisation or person which processes personal data is not by its nature either a controller or a processor. Instead, one needs to consider the personal data and the processing activity that is taking place, and consider who is determining the purposes and means of that specific processing.
Often companies or persons are unaware of their role in the processing of personal data. Even more often, they are deliberately negligent, in an attempt to avoid liability. Good news is that such attempts will be unsuccessful, as, in the case of a data breach, the controller and processor roles will be determined in accordance with the GDPR, rather than the contractual agreement.
Why do companies use such a careless approach? The answer is simple – the practice of applying the GDPR is not yet well-established – there are few court rulings and there is still a likelihood that contract terms will be taken into consideration when deciding the case.
There is, however, another pitfall in this context – by misidentifying the data processing roles initially, the parties may conclude a wrong form of contract and perform obligations that do not apply to them. When a controller defines itself as a processor, it consciously or unconsciously avoids the obligations set out in the GDPR.
In other cases, in order to be able to decide matters unilaterally, as provided in GDPR, company may convince a less knowledgeable partner that they (i.e. the partner) are the data processor. Consequently, such a “processor” would carry a liability that it would not have to carry if the company had, from the outset, devoted enough time, attention and knowledge to correctly determine its role.
Therefore, the first step in implementing personal data protection is defining your role and the roles of your partners. If you currently lack the knowledge and information or you are not sure that you have made a correct assessment, I suggest you use this TEST to determine your role in the processing of personal data.