The extent to which an organization is subject to obligations under EU data protection law depends on whether or not they are a ‘data controller’. Generally speaking, a party that handles personal data on behalf of the data controller is known as a ‘data processor’ and is subject to far fewer obligations under the law.
Does it matter whether you are a controller or a processor?
If you access personal data, you do so as either a controller or a processor, and there are different requirements and obligations depending on which category you are in. A controller is the organization that determines the purposes and means of processing personal data. A controller also determines the specific personal data that is collected from a data subject for processing.
A processor is the organization that processes the data on behalf of the controller.
The GDPR has not changed the fundamental definitions of controller and processor, but it has expanded the responsibilities of each party.
Controllers will retain primary responsibility for data protection (including, for example, the obligation to report data breaches to data protection authorities); however, the GDPR does place some direct responsibilities on the processor, as well. Accordingly, it is important to understand whether you are acting as a controller or a processor, and to familiarize yourself with your responsibilities accordingly.
In the context of the ManageMyVessel application, in the majority of circumstances, our customers are acting as the controller. Our customers, for example, decide what information from their contacts or subscribers is uploaded or transferred into their portal , who has access to that information and how it is used and reported.
ManageMyVessel is acting as a processor by hosting the information on our servers and allowing your users to access the information.
So, the organisations that determine the means of processing personal data are controllers, regardless of whether they directly collect the data from data subjects. For example, a bank (controller) collects the data of its clients when they open an account, but it is another organisation (processor) that stores, digitizes, and catalogs all the information produced on paper by the bank. These companies can be datacenters or document management companies. Both organisations (controller and processor) are responsible for handling the personal data of these customers.
What are the controllers’ responsibilities?
According to Article 5 from the EU GDPR, the controller shall be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data. These are: lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data.
According to Article 24 from the EU GDPR, “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”
Examples of such measures may be to allocate responsibilities for data protection, a data protection impact assessment and a risk mitigation plan, implementation of pseudonymization (the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information), and data minimization in order to meet the requirements of this Regulation and protect the rights of data subjects.
If there are several organisations that share the responsibility for the processing of personal data, the EU GDPR includes the existence of joint controllers. They must determine their respective responsibilities by agreement and provide the content of this agreement to the data subjects, defining the means of communication with processors with a single point of contact.
What are the processors’ responsibilities?
According to Article 28 from the EU GDPR, “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
This means that if any EU or non-EU company wants to stay in business, as controller or processor, it will have to implement the necessary controls to ensure that they comply with the EU GDPR, because the fines can be applied to both controllers and processors. According to Article 83, fines shall be imposed regarding “the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them.”