Responsibilities and obligations of the controller and processor correspond to the level of risk of their data processing activities. This is connected with the risk-based approach on which the GDPR is based on.
The Controller is obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with GDPR. Measures implemented by controller should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons. Those measures shall be reviewed and updated where necessary.
What are the obligations of the processor?
The processor processes personal data only on behalf of the controller being usually a third party external to the controller. However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking.
The duties of the processor towards the controller must be specified in a contract or another legal act. For example, the contract must indicate what happens to the personal data once the contract is terminated. A typical activity of processors is offering IT solutions, including cloud storage. The data processor may only sub-contract a part of its task to another processor or appoint a joint processor when it has received prior written authorisation from the data controller. In several examples the GDPR directly determines the processor’s role.
What does Data Protection by Design and Data Protection by Default principle mean?
The controller should implement technical and organisational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start. By default, controller should ensure that personal data is processed with the highest privacy protection (for example only the data necessary should be processed, short storage period, limited accessibility) so that by default personal data isn’t made accessible to an indefinite number of persons.
The accountability principle.
The principle of accountability is a cornerstone of GDPR. According to the GDPR, a controller is responsible for complying with all data protection principles and must demonstrate compliance with data protection rules. Controller has a proactive obligation to implement relevant technical and organisational measures at all stages of data processing. The GDPR provides businesses/organisations with a set of tools to help demonstrate accountability, some of which have to be mandatorily put in place.
For example, in specific cases the establishment of a DPO or conducting data protection impact assessments (DPIA) may be mandatory. Data controllers can choose to use other tools such as codes of conduct and certification mechanisms to demonstrate compliance with data protection principles.