In any collaborative information management system, data controllers must be assigned who will be liable in case something goes wrong. This responsibility could be spread over or divided between multiple different parties. Within the context of the GDPR, a distinction is made between data controllers and data processors in order to allocate the responsibilities that flow from its provisions. A data controller determines the purpose and the means of the processing of the personal data (Art. 4(7) GDPR). A data processor, on the other hand, processes the personal data on behalf of the controller (Art. 4(8) GDPR). In general, a data controller will have to adhere to some additional obligations compared to a data processor. The allocation of responsibilities will have to be agreed upon beforehand by the parties who participate in the system. The concept of data controller is mentioned throughout the GDPR due to the complexities of the role. The recent changes in the law have placed more stringent duties on the data controller and, among other duties, they need to facilitate the rights of the data subjects and ensure that procedures are put in place to allow data subjects to, for example, rectify errors and assert their right to data portability. It is important that a data controller is aware of the advice of supervisory authorities and complies with all duties they have in relation to reporting the issues that arise.
Guiding Questions
How are data controllers and data processors’ roles to be established in a collaborative information management system ? For example, who is responsible for notifying all parties concerned in case of a data breach?
Who is responsible for log keeping of the processing activities?
Have processes been put in place that allow data subjects to assert their new rights under the GDPR?
Have all special categories of data (e.g. sensitive/the data of minors) been assessed and procedures put in place to fulfil specific legal duties relating to these?