According to the GDPR, ‘data controller’ is a company, office, or a person (entrepreneur) who is responsible for the processing of personal data. The controller, either alone or in conjunction with others, determines the purpose and means of personal data processing.
The controller is responsible for the processing of personal data. Any juridical person, i.e. a firm, an individual entrepreneur, but also public authorities, local authorities and other persons, can be a data controller.
The controller is always responsible for the processing of personal data
The controller may delegate the processing of personal data to another entity that is referred to as data processor. Typically, this can be an accounting firm or a company that processes payrolls. However, even if the controller entrusts the processor with the data processing itself, the responsibility is still with the controller. Therefore, it is crucial to choose a reliable processor who provides sufficient guarantees for the data processing. An agreement stipulating duties of the data processor to the data controller should be signed.
What are the basic obligations of the controller emerging from the GDPR?
Controller must make sure that their processes, procedures, records and all the software, applications, and information systems in which they keep personal information, are all right. Likewise, he must be able to give reasons for keeping the personal data and must be able to prove that the purpose of the data processing is legitimate. If this is not the case, the controller has to put in place organizational, procedural and technical measures in order to comply with the GDPR requirements.
- give evidence of what personal data is stored
- prove that personal data is processed only to the extent necessary for a particular purpose
- be able to demonstrate how they handle personal data throughout the processing
- know who have access to the personal data and why (for what reasons)
In addition, controllers must be able to deal with people’s (data subjects’) requests and allow them to exercise their rights, such as:
- right to access their personal information
- right to data portability
- right to erasure
Besides, in the event of personal data leak or data breach, the controller has the obligation to notify the supervisory authority.
What does it mean that the controller determines the purpose of personal data processing?
A controller processes personal data for purposes arising from his activities (for example, from contracts, from business activities or from statutory obligations). He may also process personal data for his or her legitimate interests, such as protecting against fraud. This means that the controller has the responsibility of justifying the purpose of data processing and to support this assertion by legal justification - i.e. prove the legitimacy and necessity of keeping and processing personal data.
The Regulation clearly defines a list of legal grounds for personal data processing:
- Performance of a contract - e.g. a customer contract
- Legitimate interests - such as fraud protection
- Fulfilling legal obligations - such as payroll management
- Protection of vital interests
- Public interest and exercise of public authority
- Data subject consent - wherever the company gets the data subject’s consent; data subject has the right to withdraw their consent at any time
The controller must therefore determine why the personal data is being kept and processed and be able to justify this decision. It is a key element of personal data protection - without proper justification, the controller processes the data illegally. In other words, with missing justification, he is not allowed to store and process the data.
What does it mean that the controller determines the means of personal data processing?
The controller has to make decisions about the company’s infrastructure, i.e. processes, software, information systems, etc. and to ensure that everything meets the personal data security requirements. The controller is obliged to take adequate technical and organizational countermeasures which means countermeasures whose implementation costs would correspond to the potential damage, or rather the endangered data sensitivity. The adequacy of a countermeasure has to be judged by the controller in the first place and he or she also has to be able to defend this decision to the inspector.