This blogpost was created in cooperation with tenfold : https://www.tenfold.com .
The standards for lawfully processing sensitive personal data are nonetheless more tightly confined to at least one of the following (some of which are duplicated from personal data):
- Explicit consent of the subject
- Necessary for obligations to employment, social protection and social security laws, and collective agreements
- Protection of subject’s interests when subject is incapable of consent, whether physically or legally
- Processing of data belonging to members or former members of and by a not-for-profit entity with a political, philosophical, religious, or trade union affiliation; strictly prohibited from divulging said data to third parties
- Data made public by subject
- Necessary for legal claims
- Tasks performed in the public interest
- Administering preventative or occupational medicine, assessing subject’s working capacity, medical diagnosis, health or social care
- Public health as a public interest, including protection against cross-border health threats or to guarantee quality healthcare, medicine, or medical devices
- For purposes of data storage, inquiry, and statistics
What Is a Controller?
According to GDPR lingo, a controller is the entity–natural person, legal entity, public agency, authority, or similar–that makes the decision on why personal data is being processed. They specify whose data will be collected, which categories of data to include, the length of time needed to store the data, and more. Not only that, but a controller determines if the data subject needs to be alerted that their personal data is about to be processed or if the subject’s consent is needed prior.
In that same vein, controllers are most often with whom data subjects will directly come in contact. As the public “face” of the data processing endeavor, controllers are the ones responsible for ensuring tight controls on how the subject’s information is managed. Aside from protecting the trust and privacy of the subject, the controller must ensure compliance with the GDPR at every turn.
But just as the data subject need not be an EU citizen, neither must the controller be based in the EU. Controllers can originate anywhere across the globe; so long as they engage in the processing of data for natural persons currently in the EU, they are bound by GDPR guidelines. The best examples of this come by way of social media giants such as Facebook and Twitter; search engines like Yahoo!, Bing, and Google; or retail outlets like Amazon, eBay, and more. Despite being headquartered within the US, these companies must regardless fulfill the requirements of the GDPR or risk non-compliance.
To make matters slightly more complicated, controllers not originating within the EU must designate a representative from inside the EU to help process data in a way that satisfies the GDPR. The representative accomplishes this by coordinating with that nation’s governmental body in charge of overseeing GDPR compliance, also known as the supervisory authority. It’s more or less a checks and balance system to prevent non-EU nations from roguish data processing.
What Is a Processor?
While controllers oversee the whys and whats of personal data processing, processors are the entities designated by the controller to perform the processing itself. The processor may be a natural person, a legal entity, public agency, authority, or similar, and as with controllers, they may also originate outside the EU. No matter the location or the type of entity, the bottom line remains the same: as long as the processor is managing personal data belonging to a natural person within an EU member state, GDPR still applies.
Rather than micromanaging every processing-related task, controllers may choose to rely on the processor’s systems and data security. However, controllers are the ones ultimately responsible for making sure this happens.
What is a Supervisory Authority?
Each member of the EU is required by GDPR to arrange a supervisory authority whose chief duty involves monitoring whether the regulation is being faithfully applied. The GDPR states in no uncertain terms that the regulation must be enforced consistently within every EU member state. To make this a reality, supervisory authorities are mandated to cooperate with one another when it comes to the free flow of data. Member nations are allowed to arrange for multiple supervisory authorities, but one must be chosen as a representative before the European Data Protection Board (EDPB). The same supervisory authority is also required to guarantee that the other supervisory authorities are following GDPR.
What is a Data Protection Officer?
A Data Protection Officer (DPO) is required under GDPR rules to manage and implement an organization’s data protection policies. This applies to any entity that archives extreme levels of personal data. And it doesn’t necessarily apply only to customers or users; any organization with a significant data burden even for its own employees is obligated to elect a DPO. The definition of who constitutes a data subject are far-reaching in the GDPR.
Each DPO will be in charge of educating its parent entity from top to bottom in the requirements for satisfying the regulation. He or she also conducts training for staff members who are directly involved in processing personal data, routinely audit the organization’s data security, and recommend fixes accordingly. In addition, DPOs also liaison with supervisory authorities and enforce the entity’s compliance not only with the GDPR, but with member state laws as well.
Data subjects may interact with DPOs as their main point of contact, too. As the public “face” of the data processing operation, DPOs carry a host of responsibilities, all with the goal of remaining as open, transparent, and subject-focused as possible. These include:
- Inform subjects for which purposes their data is being processed
- Provide access to their data
- Explain the safeguards enacted by the company to secure their data
- Disclose the involvement of third parties
- Disclose the duration that their data will be archived
- Respect the subject’s right to have their data deleted
- Fulfill all data requests from subjects with timeliness and/or inside of one month from receiving the request
Take, for instance, a security firm that utilizes closed-circuit TV to surveil and monitor either communal areas or private businesses. Because their core activities constitute a public task, this firm would need to elect a DPO. The same is true for any processor that engages in minimal data retrieval or processing such as call centers. By contrast, entities that provide ancillary support, including payroll and IT support, need not install a DPO.
Exactly who can serve as DPO is left largely to the entity’s discretion. The DPO may be “in-house” or external, and they may perform other tasks for the company as well. However, they may do so with the proviso that their work for the company and their work as DPO does not create a conflict of interest.
While the role of DPO will look different from company to company, there are a few qualifications that the DPO must meet as outlined in the GDPR. These include:
- Expertise in data protection law, both national and European
- In-depth knowledge of the GDPR
- Comprehensive understanding of the organization’s data processing structure
- Ethics and integrity
- Free to carry out their tasks independently
How can Lexidy help?
At Lexidy we can help you asses your company’s situation regarding the GDPR and advise you on how to take the right measures to be compliant with the new regulations. Contact us and get a free consultation!