Joint Controllers: Under the GDPR, two or more controllers can jointly determine the purposes and means of processing personal data. In such cases, they are joint controllers and must have a clear arrangement in place to determine their respective roles and responsibilities.
Joint controllers have to provide clear and transparent information to data subjects about the processing of their personal data, including the identity of all joint controllers and the purposes and means of processing.
In addition, joint controllers must establish a legal basis for the processing of personal data. They are jointly responsible for ensuring compliance with the GDPR.
Joint Processors: In the case of joint processors, the controller can appoint two or more processors to process personal data on behalf of the controller. In such cases, the controller is responsible for ensuring that each processor complies with the GDPR. While the processor is responsible for complying with the instructions of the controller.
The GDPR requires that joint controllers and joint processors enter into a written agreement that sets out their respective responsibilities and obligations. This agreement must also address issues such as liability, data protection impact assessments, and the rights of data subjects.
Relationship Between Controllers, Processors, & Data Subjects
Controllers and processors have a responsibility to protect the rights of data subjects. This includes informing data subjects about the processing of their personal data and obtaining their consent where necessary. Data subjects also have the right to access their personal data, rectify any inaccuracies, and request the erasure of their personal data in certain circumstances.
Controllers and processors must also implement appropriate technical and organizational measures to ensure the security of personal data and protect against unauthorized access, disclosure, or loss.
Obligations Of Controller And Processor In GDPR
In addition to their roles and responsibilities, controllers and processors have specific obligations under GDPR. These include:
- Data protection impact assessment: When processing activities pose a high risk to the rights and freedoms of data subjects, the controller must conduct a data protection impact assessment (DPIA). This involves assessing the potential impact of the processing activities on data subjects and implementing appropriate measures to mitigate any risks.
- Data protection officer: Controllers and processors may appoint a data protection officer (DPO) if they process large amounts of personal data or process sensitive data. The DPO is responsible for ensuring compliance with GDPR and advising the organization on data protection matters.
- Record keeping: They must maintain records of processing activities. This may include the purposes of the processing, categories of personal data, and recipients of personal data.
- Data breaches: Controllers and processors must notify the relevant supervisory authority of any personal data breaches within 72 hours of becoming aware of the breach. They must also inform data subjects if the breach poses a high risk to their rights and freedoms.
What Are The Penalties For Non-Compliance With GDPR?
The GDPR provides for significant penalties for non-compliance, including fines and other measures designed to enforce compliance. Here are some of the penalties for non-compliance with GDPR:
- Administrative fines: The supervisory authority can impose administrative fines on controllers and processors who violate GDPR provisions. The maximum fine is up to €20 million or 4% of the company’s global annual revenue (whichever is higher) for serious infringements, and up to €10 million or 2% of the company’s global annual revenue (whichever is higher) for less serious infringements.
- Cease and desist orders: The supervisory authority can order a controller or processor to cease certain activities related to the processing of personal data.
- Data subject rights: Data subjects have the right to seek compensation for damages suffered as a result of a GDPR violation, as well as the right to complain to the supervisory authority.
- Data processing suspension: In some cases, the supervisory authority can order the suspension of data processing activities until compliance.
- Reputational damage: Non-compliance with the GDPR can lead to negative publicity and reputational damage. This can have a significant impact on a company’s brand and reputation.
The Controller and processor in GDPR need to ensure compliance. Failure to do so can cause significant financial penalties and consequences.
In conclusion, the relationship between controllers and processors is crucial in ensuring compliance with the GDPR. Controllers are responsible for determining the purposes and means of processing personal data, while processors process personal data on behalf of the controller. Both controllers and processors have important obligations under the GDPR to protect personal data and respect the rights of data subjects. Organizations need to understand their roles and responsibilities under the GDPR and seek help if necessary to ensure compliance with this important regulation.
If you are looking to implement any of the Infosec compliance frameworks such as SOC 2 compliance, HIPAA, ISO 27001, and GDPR compliance, Impanix can help. Book a Free consultation call with our experts or email us at [email protected] for inquiries.