GDPR ROLES &
RESPONSIBILITIES
Within your company you can carry more than one role. You can be 'Controller', 'Processor', or 'Third Party', which depends on the data processing activity. Each role and activity carries different responsibilities. Understand your role, so your responsibility chart is GDPR compliant.
.png)
Data Subject
The one whose data is being collected or processed.
Data Protection Authority
The GDPR enforcement authority, investigating and able to pose fines.
Controller
The one deciding about what data shall be collected and for what purpose. (Could instruct Processor to actually do it.)
Processor
The one acting on behalf of the Controller, following instructions.
Third Party
A party processing personal data under specific contractual terms for a processor or controller, but is not a controller or processor.
Company
These are my Data subjects
All people I collect or process personal identifiable data from. For example: employee information, partner email addresses, or pseudonymized client references.
I'm Controller of this data
I'm Processor of this data
I'm Processor for data I process for my clients, which business relationship is based on a contract. For example, pseudonymized patient references, list of children attending a certain school, or I'm hosting a Cloud service.
These are my Third Parties
I'm Controller of my employee data, and from my partners, like their names and work emails, and I'm collecting online marketing data via consent forms.
I have hired Third Parties who may process personal data I have in my possession as a Controller or Processor, based on specific contractual terms and for specific purposes. For example my DPO, my business lawyer, my external HR, or my external accountant.
Data Protection Authority
Every authority in the European country in which I process personal data from its data subjects may investigate my GDPR compliance, request information, and could pose a GDPR fine.
Data Subject
Rights
Responsibilities
-
Right to be informed
-
Right to access your data
-
Right to rectify your data
-
Right to object to processing
-
Right to be forgotten
-
Right to restrict processing
-
Right to data portability
-
Rights related to automated decision-making and profiling
-
Right to notification in relation of a data subject right, or data breach that forms a high risk to my rights and freedoms.
-
Make myself aware of my data protection rights
-
Read the privacy policy and request more information if I don't understand what is being done with my data
-
Understand what I consent to
-
Exercise my data protection rights
Processor
Rights
Responsibilities
-
Use personal data for everything I received permission for from the Controller
-
Use personal data for internal quality and development as long as this falls within the purpose limitation I received consent for
-
Comply with the GDPR principles and demonstrate this via documentation and practices
-
Monitor internal compliance, such as data management, data access, Clean Desk policies, remote working, data sharing, storing, retention,
-
Monitor external compliance documentation and/or by contract from my sub-processors and third parties and communicate my external parties with the Controller
-
Set technical and organisational security measures to protect data
-
Implement data breach protocols internally, and inform the Controller without undue delay of a data breach.
Controller
Rights
Responsibilities
-
Use personal data for everything I received consent for
-
Use personal data for internal quality and development as long as this falls within the purpose limitation I received consent for
-
Further process personal data if this falls within the initial purpose
-
Comply with the GDPR principles and demonstrate this via documentation and practices
-
Monitor internal compliance, such as data management, data access, Clean Desk policies, remote working, data sharing, storing, retention,
-
Monitor external compliance documentation and/or by contract from my processors and third parties
-
Set technical and organisational security measures to protect data
-
Implement data breach protocols internally, and externally with partners/ processors.
Third Party
Rights
Responsibilities
-
Use personal data for those purposes specifically agreed by contract.
-
Comply with the GDPR principles and demonstrate this via documentation and practices
-
Monitor internal compliance, such as data management, data access, Clean Desk policies, remote working, data sharing, storing, retention,
-
Monitor external compliance documentation and/or by contract from my sub-processors and third parties and communicate my external parties with the Controller
-
Set technical and organisational security measures to protect data
-
Implement data breach protocols internally, and inform the Controller or Processor without undue delay of a data breach.