Controllers for processing according to GDPR
How is the role of the controller defined in the General Data Protection Regulation?
The regulations of the General Data Protection Regulation (GDPR) are directed in many respects at the "person in charge". Article 4 No. 7 GDPR defines him as the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Controller under the GDPR must ensure that the provisions of the GDPR are complied with and that the processing of personal data in his area of responsibility is lawful. The controller must be able to demonstrate this.
Where there is more than one controller, the provisions of the Article 26 GDPR. Those jointly responsible must transparently define in an agreement which of them fulfils which obligations under the GDPR. This applies in particular to the rights of the persons concerned and the information obligations.
What are the responsibilities of the person in charge?
The GDPR assigns a whole range of duties to the person responsible, not all of which can be listed here in full. For example, the person responsible for compliance with the Article 5 GDPR the processing of personal data and is accountable for it. According to Article 12 GDPR must communicate to such persons affected by the processing of personal data in a transparent and comprehensible manner all information and notices contained in Article 13 et seq. GDPR are regulated. These include, for example, the obligation to provide information when data is collected and the right to correct and delete data as well as the restriction of processing.
Depending on the circumstances of the processing operation, the controller must, in accordance Article 24 GDPR take appropriate technical and organisational measures to ensure that processing is in compliance with the GDPR. These include the principles of the Privacy by Design and Privacy by Default as well as the IT security of the systems. Article 32 GDPR specifically mentions the pseudonymisation and encryption of data as possible technical means to protect the rights and freedoms of individuals.
Data protection violations must be reported by the controller for processing in accordance with the DSGVO in accordance with Article 33 GDPR if possible by reporting a data breach within 72 hours to the supervisory authority The law makes an exception to this if the data breach is not likely to lead to a risk to the rights and freedoms of individuals. In the event of a high risk, the data subjects must normally also be notified by the data controller, as regulated by Article 34 GDPR .
According to Article 82 GDPR the controller is liable for the immaterial and material damage suffered by the data subject as a result of the data processor's breach of the regulation. They will only be released from this liability if they prove that they are no way responsible for the circumstance that led to the damage.
What are the duties of the controller vis-à-vis the data protection officer?
The controller for processing in accordance with the GDPR must also inform their Data Protection Officer to fulfil a number of obligations. For example, according to Article 38 GDPR they have to provide the officer with space for their work as well as the necessary resources and training materials such as journals, commentaries and textbooks. Controversies are often caused in practice by the question of how much time the Data Protection Officer can spend on his or her work in addition to any other tasks. This may vary depending on the scope and complexity of the data processing operations. In case of doubt, the controller must relieve the Data Protection Officer of other work.
In large companies, contact persons from the specialist departments must support them in the fulfilment of their tasks. In addition, the controller must ensure that the Data Protection Officer has access to all areas in which data processing is carried out and has access to all documents and IT systems.