[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fHVRa4XwmuxiT0YTS-qcEChrZv7rGar5LyC0379Kyp_g":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":7,"wordCount":8,"readTime":9,"title":10,"nbDownloads":11,"excerpt":7,"lang":12,"url":13,"intro":14,"featured":15,"state":16,"author":17,"authorId":18,"datePublication":22,"dateCreation":23,"dateUpdate":24,"mainCategory":25,"categories":41,"metaDatas":47,"imageUrl":55,"imageThumbUrls":56,"id":64},true,"Data protection rules involve a number of different stakeholders with varying roles, prerogatives and levels of responsibility. The **data controller** is defined in **article 4-7 of the GDPR** as \"*the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing*\". It is therefore the company or administration which **decides to implement a processing operation** and which therefore assumes **responsibility** for it. \r\n\r\nDepending on the complexity of the processing, there may be **several data controllers**. In this case, they will be referred to as **joint controllers**. This is referred to as a **horizontal relationship** in which they jointly determine the purposes and means of the processing.\r\n \r\n## General obligations of the Data Controller\r\n \r\nThe data controller assumes full responsibility for implementing the processing. He determines the **contours of the processing** to be carried out within the company. In practice, this overall role involves a large number of obligations:\r\n\r\n* Draw up a written document specifying the **respective obligations** of each of the parties involved in the processing operation;\r\n\r\n\r\n* Appoint a **representative within the European Union** (for data controllers and processors located outside the European Economic Area);\r\n\r\n* Appoint a Data Protection Officer when required\r\n \r\n* Keep a **record of data processing activities (ROPA)** which makes it possible to identify data processing operations and to obtain an **overview** of what is done with personal data.\r\nThe record  is provided for in **article 30** of the GDPR. It helps to document **compliance**. As an inventory and analysis document, it must reflect the **reality of personal data processing**.\r\n\r\n\r\n- Carry out a **data protection impact assessment** (if the conditions are met). A Data Protection Impact Assessment (DPIA) is an analysis that helps to **construct privacy-friendly data processing** and to **demonstrate the compliance** of its processing with the GDPR.\r\n\r\n\r\n- Inform the **data protection authority** and the **persons concerned** (mainly candidates) in the event of a **data breach**.\r\nThe GDPR requires data controllers to **document**, internally, personal data breaches and to **notify** breaches presenting a **risk to the rights and freedoms** of individuals to the data protection authority and, in certain cases, where the risk is high, to the individuals concerned.\r\n\r\n\r\n- Provide data subjects with the **mandatory information**. When processing data, the data controller is obliged to inform the data subjects of the **categories** of data collected, their **uses**, the **purposes** of the processing, etc.\r\n\r\n\r\n- Process requests to **exercise rights** (access, erasure, objection, etc.). The persons concerned by the processing of personal data have rights enabling them to **keep control** of the information concerning them. \r\nThe data controller must **explain** to data subjects the procedure (where, how and to whom to apply?) for exercising these rights in practice.\r\n \r\n\r\n## Supervision obligations in the context of subcontracting \r\n\r\nWhen using a **subcontractor**, the controller must seek out a service provider with **adequate guarantees** in technical and organisational terms, complying in all respects with the requirements of the GDPR.  The controller must **document the controller's instructions** regarding data processing by the processor, in order to keep a written record of them.\r\n\r\nTo ensure that the processor carries out its tasks properly, the controller may :  \r\n\r\n- require the processor to provide all the information necessary to **demonstrate compliance with their respective obligations** ;  \r\n- carry out an **audit** or appoint an auditor to verify the **compliance of the processor with the requirements of the GDPR**, etc.\r\n\r\n\r\nThe role of the Data Controller is fundamental. In addition to their role as driving force and decision-maker, they are subject to various obligations which they must respect in order to ensure the **confidentiality** of information and **respect for privacy**. \r\nAs such, they must ensure compliance with the **security measures** put in place by the company, guaranteeing a level of security **adapted to the risk**.\r\n\r\n## What are the penalties?\r\n\r\nData controllers are liable to **administrative penalties** if they fail to meet their obligations. The amount could be up to **€20 million**, or, if it concerns a company, up to **4% of annual worldwide turnover**.\r\n\r\n## Summary table of the main obligations\r\n\r\n| Nature of the obligations | Data Controller  | Data Processor | Joint data Controller |\r\n| -- | --- | --- | --- |\r\n| Draw up a written document setting out the respective obligations of each of the parties involved | Yes| Yes | Yes  |\r\n| Document the data controller's instructions concerning the processing of personal data by the processor | Yes| Yes  | Yes |\r\n| Obtain and retain prior written authorisation from the data controller to use the services of a processor | No | Yes | Yes |\r\n| Keep a record of the data processing operations carried out | Yes |  Yes | Yes |\r\n| Carry out a data privacy impact assessment  (PIA / DPIA - if the criteria are met) | Yes | No | Yes |\r\n|Inform the other parties involved in the processing (data controller, processor and joint data controller) in the event of a suspected breach of the GDPR |No  | Yes | No |\r\n|Inform the data protection supervisory authority and/or the persons concerned in the event of a breach of personal data  | Yes | No | Yes |\r\n|  Provide data subjects with mandatory information| Yes | No | Yes |\r\n| Process requests to exercise rights (access, deletion, opposition, etc.) | Yes | No | Yes |\r\n| Assist the data controller in handling such requests | Yes | Yes | No |","\u003Cp>Data protection rules involve a number of different stakeholders with varying roles, prerogatives and levels of responsibility. The \u003Cstrong>data controller\u003C/strong> is defined in \u003Cstrong>article 4-7 of the GDPR\u003C/strong> as \"\u003Cem>the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing\u003C/em>\". It is therefore the company or administration which \u003Cstrong>decides to implement a processing operation\u003C/strong> and which therefore assumes \u003Cstrong>responsibility\u003C/strong> for it.\u003C/p>\r\n\u003Cp>Depending on the complexity of the processing, there may be \u003Cstrong>several data controllers\u003C/strong>. In this case, they will be referred to as \u003Cstrong>joint controllers\u003C/strong>. This is referred to as a \u003Cstrong>horizontal relationship\u003C/strong> in which they jointly determine the purposes and means of the processing.\u003C/p>\r\n\u003Ch2 id=\"general-obligations-of-the-data-controller\">General obligations of the Data Controller\u003C/h2>\r\n\u003Cp>The data controller assumes full responsibility for implementing the processing. He determines the \u003Cstrong>contours of the processing\u003C/strong> to be carried out within the company. In practice, this overall role involves a large number of obligations:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Draw up a written document specifying the \u003Cstrong>respective obligations\u003C/strong> of each of the parties involved in the processing operation;\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Appoint a \u003Cstrong>representative within the European Union\u003C/strong> (for data controllers and processors located outside the European Economic Area);\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Appoint a Data Protection Officer when required\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Keep a \u003Cstrong>record of data processing activities (ROPA)\u003C/strong> which makes it possible to identify data processing operations and to obtain an \u003Cstrong>overview\u003C/strong> of what is done with personal data.\r\nThe record  is provided for in \u003Cstrong>article 30\u003C/strong> of the GDPR. It helps to document \u003Cstrong>compliance\u003C/strong>. As an inventory and analysis document, it must reflect the \u003Cstrong>reality of personal data processing\u003C/strong>.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Carry out a \u003Cstrong>data protection impact assessment\u003C/strong> (if the conditions are met). A Data Protection Impact Assessment (DPIA) is an analysis that helps to \u003Cstrong>construct privacy-friendly data processing\u003C/strong> and to \u003Cstrong>demonstrate the compliance\u003C/strong> of its processing with the GDPR.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Inform the \u003Cstrong>data protection authority\u003C/strong> and the \u003Cstrong>persons concerned\u003C/strong> (mainly candidates) in the event of a \u003Cstrong>data breach\u003C/strong>.\r\nThe GDPR requires data controllers to \u003Cstrong>document\u003C/strong>, internally, personal data breaches and to \u003Cstrong>notify\u003C/strong> breaches presenting a \u003Cstrong>risk to the rights and freedoms\u003C/strong> of individuals to the data protection authority and, in certain cases, where the risk is high, to the individuals concerned.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Provide data subjects with the \u003Cstrong>mandatory information\u003C/strong>. When processing data, the data controller is obliged to inform the data subjects of the \u003Cstrong>categories\u003C/strong> of data collected, their \u003Cstrong>uses\u003C/strong>, the \u003Cstrong>purposes\u003C/strong> of the processing, etc.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Process requests to \u003Cstrong>exercise rights\u003C/strong> (access, erasure, objection, etc.). The persons concerned by the processing of personal data have rights enabling them to \u003Cstrong>keep control\u003C/strong> of the information concerning them.\r\nThe data controller must \u003Cstrong>explain\u003C/strong> to data subjects the procedure (where, how and to whom to apply?) for exercising these rights in practice.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Ch2 id=\"supervision-obligations-in-the-context-of-subcontracting\">Supervision obligations in the context of subcontracting\u003C/h2>\r\n\u003Cp>When using a \u003Cstrong>subcontractor\u003C/strong>, the controller must seek out a service provider with \u003Cstrong>adequate guarantees\u003C/strong> in technical and organisational terms, complying in all respects with the requirements of the GDPR.  The controller must \u003Cstrong>document the controller's instructions\u003C/strong> regarding data processing by the processor, in order to keep a written record of them.\u003C/p>\r\n\u003Cp>To ensure that the processor carries out its tasks properly, the controller may :\u003C/p>\r\n\u003Cul>\r\n\u003Cli>require the processor to provide all the information necessary to \u003Cstrong>demonstrate compliance with their respective obligations\u003C/strong> ;\u003C/li>\r\n\u003Cli>carry out an \u003Cstrong>audit\u003C/strong> or appoint an auditor to verify the \u003Cstrong>compliance of the processor with the requirements of the GDPR\u003C/strong>, etc.\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>The role of the Data Controller is fundamental. In addition to their role as driving force and decision-maker, they are subject to various obligations which they must respect in order to ensure the \u003Cstrong>confidentiality\u003C/strong> of information and \u003Cstrong>respect for privacy\u003C/strong>.\r\nAs such, they must ensure compliance with the \u003Cstrong>security measures\u003C/strong> put in place by the company, guaranteeing a level of security \u003Cstrong>adapted to the risk\u003C/strong>.\u003C/p>\r\n\u003Ch2 id=\"what-are-the-penalties\">What are the penalties?\u003C/h2>\r\n\u003Cp>Data controllers are liable to \u003Cstrong>administrative penalties\u003C/strong> if they fail to meet their obligations. The amount could be up to \u003Cstrong>€20 million\u003C/strong>, or, if it concerns a company, up to \u003Cstrong>4% of annual worldwide turnover\u003C/strong>.\u003C/p>\r\n\u003Ch2 id=\"summary-table-of-the-main-obligations\">Summary table of the main obligations\u003C/h2>\r\n\u003Ctable>\r\n\u003Cthead>\r\n\u003Ctr>\r\n\u003Cth>Nature of the obligations\u003C/th>\r\n\u003Cth>Data Controller\u003C/th>\r\n\u003Cth>Data Processor\u003C/th>\r\n\u003Cth>Joint data Controller\u003C/th>\r\n\u003C/tr>\r\n\u003C/thead>\r\n\u003Ctbody>\r\n\u003Ctr>\r\n\u003Ctd>Draw up a written document setting out the respective obligations of each of the parties involved\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003C/tr>\r\n\u003Ctr>\r\n\u003Ctd>Document the data controller's instructions concerning the processing of personal data by the processor\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003C/tr>\r\n\u003Ctr>\r\n\u003Ctd>Obtain and retain prior written authorisation from the data controller to use the services of a processor\u003C/td>\r\n\u003Ctd>No\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003C/tr>\r\n\u003Ctr>\r\n\u003Ctd>Keep a record of the data processing operations carried out\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003C/tr>\r\n\u003Ctr>\r\n\u003Ctd>Carry out a data privacy impact assessment  (PIA / DPIA - if the criteria are met)\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003Ctd>No\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003C/tr>\r\n\u003Ctr>\r\n\u003Ctd>Inform the other parties involved in the processing (data controller, processor and joint data controller) in the event of a suspected breach of the GDPR\u003C/td>\r\n\u003Ctd>No\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003Ctd>No\u003C/td>\r\n\u003C/tr>\r\n\u003Ctr>\r\n\u003Ctd>Inform the data protection supervisory authority and/or the persons concerned in the event of a breach of personal data\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003Ctd>No\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003C/tr>\r\n\u003Ctr>\r\n\u003Ctd>Provide data subjects with mandatory information\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003Ctd>No\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003C/tr>\r\n\u003Ctr>\r\n\u003Ctd>Process requests to exercise rights (access, deletion, opposition, etc.)\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003Ctd>No\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003C/tr>\r\n\u003Ctr>\r\n\u003Ctd>Assist the data controller in handling such requests\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003Ctd>No\u003C/td>\r\n\u003C/tr>\r\n\u003C/tbody>\r\n\u003C/table>\r\n",null,864,5,"What are my obligations as a data controller?",0,"en","what-are-my-obligations-as-a-data-controller","In this article, we look at the data controller's obligations under the General Data Protection Regulation (GDPR). ",false,"Published",{"id":18,"displayName":19,"avatarUrl":20,"bio":7,"blogUrl":7,"color":7,"userId":18,"creationDate":21},38,"Paul-Emmanuel Bidault","https://static.dastra.eu/tenant-27/avatar/38/paul-emmanuel-bidault-150.jpg","2019-12-03T19:09:28","2023-12-26T13:17:13.595","2023-12-26T14:17:12.9607331","2023-12-26T14:29:43.3411406",{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":7,"count":7,"imageUrl":7,"parent":7,"order":11,"translations":31},2,"Blog","A list of curated articles provided by the community","blog","#28449a",[32,35,38],{"lang":33,"name":27,"description":34},"fr","Une liste d'articles rédigés par la communauté",{"lang":36,"name":27,"description":37},"es","Una lista de artículos escritos por la comunidad",{"lang":39,"name":27,"description":40},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[42],{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":7,"count":7,"imageUrl":7,"parent":7,"order":11,"translations":43},[44,45,46],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},[48,51],{"typeMetaDataId":26,"value":49,"id":50},"https://www.dastra.eu/en/guide/the-obligations-of-data-controllers-and-processors/56293",111671,{"typeMetaDataId":52,"value":53,"id":54},3,"More information on the obligations of data controllers and processors",111672,"https://static.dastra.eu/content/7c69c282-6e2e-4473-8a9a-abd2f088cd44/direction-desk-1000.png",[57,58,59,60,61,62,63],"https://static.dastra.eu/content/7c69c282-6e2e-4473-8a9a-abd2f088cd44/direction-desk-1000.webp","https://static.dastra.eu/content/7c69c282-6e2e-4473-8a9a-abd2f088cd44/direction-desk.webp","https://static.dastra.eu/content/7c69c282-6e2e-4473-8a9a-abd2f088cd44/direction-desk-1500.webp","https://static.dastra.eu/content/7c69c282-6e2e-4473-8a9a-abd2f088cd44/direction-desk-800.webp","https://static.dastra.eu/content/7c69c282-6e2e-4473-8a9a-abd2f088cd44/direction-desk-600.webp","https://static.dastra.eu/content/7c69c282-6e2e-4473-8a9a-abd2f088cd44/direction-desk-300.webp","https://static.dastra.eu/content/7c69c282-6e2e-4473-8a9a-abd2f088cd44/direction-desk-100.webp",56294]