For Organisations

Organisations that handle personal data are subject to a number of obligations under the General Data Protection Regulation (EU) 2016/679 (the “GDPR”). This section aims to provide organisations with general guidance to better understand their role and responsibilities in relation to the processing of personal data.  

The extent of an organisation’s responsibilities under the GDPR will depend largely on whether that organisation is defined as a controller or a processor. In simple terms, if an organisation exercises overall control over the purposes and means of the processing of personal data, that is, it decides what personal data is processed and why it is processed, then that organisation would be considered a ‘controller’. On the other hand, if an organisation processes personal data on behalf of and in accordance with the instructions of another organisation or person, then that organisation would be considered a ‘processor’.

Controllers

Article 4(7) of the GDPR defines a controller as being a natural or legal person, public authority, agency, or other body that determines the purposes and means of the processing of personal data. While the GDPR’s definition encompasses both individuals and organisations, in practice, many controllers are organisations, such as companies or public authorities.

Controllers are the main decision-makers in relation to the processing of the personal data. In practice, these decisions typically include, deciding what personal data is collected and from whom, what the specific purposes for collecting the data are, what types of processing activities are carried out on that data, the intended outcomes of the processing activities, and so on.

Controllers shoulder the greatest responsibility for compliance with the GDPR. The various obligations of controllers include, but are not limited to, complying with the fundamental data protection principles (article 5 GDPR), identifying a lawful basis for its processing activities (article 6 GDPR), implementing technical and organisational measures to ensure compliant processing (article 24 GDPR), implementing data protection by design by default (article 25 GDPR), ensuring the security of the personal data (article 32 GDPR), facilitating and fulfilling the exercise of the data subject rights (articles 12 – 22 GDPR), designating a data protection officer, where applicable (article 37 GDPR), notifying personal data breaches to the supervisory authority (article 33 GDPR), and cooperating with the supervisory authority (article 31 GDPR). The controller is also responsible for the GDPR compliance of its processors, if any.

Importantly, in line with the overarching principle of accountability under article 5(2) of the GDPR, the controller must also be able to demonstrate that it has complied with the GDPR, including through proper record-keeping and documented evidence, which clearly show that the controller has fulfilled its various obligations under the GDPR.

Processors

Article 4(8) of the GDPR defines a processor as being a natural or legal person, public authority, agency, or other body that processes personal data on behalf of a controller. A processor processes personal data exclusively on the basis of the documented instructions of the controller, and for the specific purposes determined by the controller, not for its own purposes.  

Processors are meant to act only on the basis of the controller’s instructions and cannot make their own decisions about the purposes and means of the processing. Consequently, unlike controllers, processors are subject to limited responsibilities under the GDPR. While processors may exercise a certain degree of discretion about how to best serve the controller’s interests, for example, by deciding on the most suitable technical and organisational means to implement, processors do not have the autonomy to make decisions about the purposes of the processing, nor about any other essential means of the processing. Importantly, if a processor acts beyond the controller’s instructions, the processor will be considered to have infringed the GDPR, and will be regarded as a controller in respect of that processing, together with all of the corresponding obligations applicable to controllers under the GDPR.

Although not as extensive as the controller’s obligations, processors are still subject to a number of strict obligations under the GDPR. Some of these include, but are not limited to, notifying the controller, without delay, of any personal data breaches which it becomes aware of (article 33(2) GDPR), assisting the controller through appropriate technical and organisational measures (article 28(3)(e) GDPR), making information available to the controller for the purpose of demonstrating compliance with the GDPR (article 28(3)(h) GDPR), designating a data protection officer, where applicable (article 37 GDPR), and cooperating with the supervisory authority (article 31 GDPR).