Obligations of Controller under the GDPR
In the previous article, we determined which companies are required to comply with the GDPR. The following logical question is your steps if you fall into this category and your company is a controller of personal data. In order to find out the answer to this question, at first you need to find out what obligations are enshrined in the GDPR.
The data controller is the one who interacts with the client, collects data and determines how to process it further.
The main obligations of the controller under the GDPR are following:
1. Implement appropriate technical and organizational measures designed to effectively implement the principles of personal data protection, such as data minimisation, as well as to integrate the necessary guarantees into processing in order to comply with the requirements of the Regulation and protect the rights of data subjects. (Art. 25);
2. Observe the principles set out in the para. 1 Art. 5 and be able to demonstrate compliance with them (Art. 5);
3. Hire a processor who provides sufficient guarantees to implement the appropriate technical and organizational measures so that the processing meets the requirements of the Regulation. The contract with the processor needs to be concluded in writing. (Art. 28);
4. Maintain a register of personal data processing activities (Art. 30);
5. Cooperate with the Supervisory Authority concerning its request in fulfilling its tasks (Art. 31);
6. In order to ensure a level of security corresponding to the risks implement the technical and organizational measures enshrined in Art. 32. (Art. 32);
7. Notify the competent supervisory authority and data subject in case of a violation of the security of personal data. Such notification must take place, if possible, no later than 72 hours after the discovery of this violation (Art. 33 – 34);
8. Conduct an assessment of the impact of planned operations for the processing of personal data, which, in terms of its nature, scale, context and purpose, is expected to lead to a high risk to the rights and freedoms of individuals (Art. 35);
9. Consult the supervisory authority prior to processing if an assessment of the impact on the protection of personal data indicates that the processing may lead to a high degree of risk in the absence of measures taken by the controller to reduce the risk (Art. 36);
10. Appoint a data protection officer responsible for the protection of personal data if the processing is carried out by the state. authority / the main activity of the controller consists of data processing operations that, by their nature, scope or purpose, require regular and systematic monitoring of data subjects on a large scale / the main activity of the controller or processor is the processing of special categories of data on a large scale in accordance with Article 9 and personal data concerning convictions and offenses under Article 10 (Art. 37);
11. Ensure the proper and prompt participation of the personal data protection officer in all matters related to the protection of personal data, protect his independence and provide the necessary means for enforcement (Art. 38-39);
12. Appoint a written representative to the EU if the controller is registered outside the EU.
Legarithm lawyers are experts in the field of GDPR, we will help your business in meeting all the requirements of the GDPR.
Contact us via chat and we will study your business processes on GDPR compliance and analyze existing and potential risks of receiving fines.