The first step to comply with the GDPR is to define the entity’s status under the GDPR; it either can be a Data Controller or a Data Processor, or in some cases, both. Only with a clear determination of the role, an assertive assessment of the rights and obligations for that particular company can be done. And only then, the legal practitioner will be able to prepare the appropriate legal safeguards and provide with an unmistakable guidance to the rest of departments such as; Compliance, IT, Marketing, Sales, HR, others.
Useful? Embed this infographic on your website.
Since the determination of the role of the entity is the cornerstone of the privacy by design of any company, the assessment can only be done by a person or group of individuals with a deep understanding of the business activities and the Law. It should be noted, that taking the risk of a wrong identification can jeopardize the privacy and data protection system in your company, and as in construction field, a defective cornerstone can cause the house to fall down.
Having said that, there are cases where a company when providing its services acts as a data processor (process PD under the instruction and behalf of other) also acts as a data controller (determines the purpose and means of the processing of PD) and there are not as uncommon as we might think they are. A good example is described in the Handbook on European Data Protection Law: “the Everready company specializes in data processing for the administration of human resource data for other companies. In this function, Everready is a processor. Where Everready processes the data of its own employees, however, it is the controller of data –processing operations for the purpose of fulfilling its obligation as an employer.”
In that order of ideas, a company, in most of the cases, is a data processor and data controller; the key point is to distinguish when it acts as a data controller and when as a data processor or sub-processor. It is clear when we see that for personal data “X” the company acts as a data processor and for personal data “Y” the company acts as data controller; but in reality, sometimes the same data has to be used by the same company for fulfiling different roles.
For instance, a service provider of an Investment Fund collects and process the personal data of the Fund’s investors as Data Processor shall also process the same personal data to fulfil its legal obligations for AML and FATCA and CRS, as Data Controller.
The lawinfographic prepared for this article aims to provide with a clear picture of how the data flow when a company is a data processor and data controller at the same time and for the same data. This should help legal specialists in the field of data protection, in the determination of the role of any company under the GDPR. Also, seek to help individuals to understand how their personal data can be processed for several purposes and by different parties.
Each lawinfographic has a visual presentation and keywords that will allow any person to comprehend at a glance the main topic. The lawinfographic and article contain several examples that have been taken from the EU law, regulations, guidelines and opinions on the matter and have been precisely referred to in the documents. If you require more information, do not hesitate to consult the lawinfographic sources below each article or to contact me, you can leave me a comment or reach me on LinkedIn.