Who is the Data Controller?
Approach to the Data Controller
The Data Controller is a particularly relevant figure in the Data Protection Regulation, mainly when in 2018 the Law 3/2018 on Personal Data Protection and guarantees of digital rights(LOPDGDD) was approved, but do we really know who and what are their obligations?
Who is the Data Controller?
The first idea about who is the Data Controller is found in Article 4.7 of the GDPR, where it is defined as follows:
“the natural or legal person, public authority, service or other body which alone or jointly with others determines the purposes and means of processing; if Union or Member State law determines the purposes and means of processing, the controller or the specific criteria for its appointment may be laid down by Union or Member State law.”
Therefore, the Data Controller is the one who decides the purpose of the processing and the means to be used for such processing; that is to say, he/she answers the questions why and how the processing is carried out, these being essential questions of the processing itself. the questions why and how the processing is carried out, these being essential questions of the processing itself.
Regarding the question of who can be the Data Controller, it must be said that there are no restrictions in this respect; that is, it can be a natural or legal person, whether in the private or public sphere.
In the event that we are dealing with a group of companies, to identify the data controller we will have to look for the parent company, and then locate the rest of the companies that could act as data processors.
To put it more clearly, if a company processes, for example, data of its own customers or employees, it is the Data Controller, since it decides how and why such data is processed and does not process it because a third party has commissioned or delegated it to do so.
If a company has delegated the processing of data to a third party (e.g. labor management) and as a result of this, involves the processing of personal data (e.g. payroll), this third party is considered a Data Processor, which must also comply with the Data Protection Regulation.
What are the obligations of the Data Controller?
The Data Controller has numerous data protection obligations, all of which must be demonstrably complied with, the most relevant of which are highlighted below:
Register of Treatment Activities
Known by the acronym RAT, in short, it consists of identifying each of the personal data processing carried out by the Data Controller.
The ARP must contain very specific details of the data processed and include a risk assessment, which will determine the security measures to be implemented, and must be recorded and approved by the Management.
Data Protection Impact Assessment
Known by the acronym EIPD, it should be prepared according to the result of the risk assessment mentioned above.
The EIPD includes risk reduction and accountability measures, as well as an Action Plan to be implemented, with the corresponding follow-up and approval, with the participation of the Data Protection Delegate.
Data Protection Officer
The Controller must appoint a DPD, if so required by the Data Protection Regulation, being a relatively recent figure since the approval of the RGPD in May 2006.
The DPD may be a legal or natural person and must prove their knowledge and experience in data protection and the designation must be notified to the registry of the AEPD, within the legally established period.
Action protocol for security breaches
A Security Breach Policy must be drafted, with the steps to follow in the event of a breach. It should be noted that the deadline for notifying the AEPD is 72 hours after the breach occurs and whenever necessary, since an assessment must be carried out beforehand.
Policy of attention to the exercise of data protection rights
The Data Controller must draw up a policy with the steps to be followed in the event of receiving an exercise of rights. It must also be made known to all employees.
Duty to inform and obtain the consent of data subjects
When the Controller wants to process personal data, it is mandatory to inform all data subjects (data subjects) about what is necessary in terms of data protection and to be able to prove that it does so.
In the same way, you must collect the consent of the interested parties to process such data, except in the exceptions contemplated in the Data Protection Regulations.
Emphasize that all these obligations must be demonstrated by the Controller, since the GDPR states that proactive responsibility is part of the obligations of the Controller (art.5.2 GDPR).
How to fulfill all these obligations?
The Data Controller can find an ally in an expert data protection consultancy to comply with these obligations, assuming a large part of them, advising on this matter and auditing to ensure full compliance and avoid penalties, which can reach up to 20 million euros or 4% of annual turnover.
If you need help, contact us by email: info@businessadapter.es, you can also call 96 131 88 04, or leave your message in this form:
[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]