Company Responsibilities under GDPR
Like other GDPR professionals and companies, Do you also have the query about “Companies responsibilities under GDPR”? Let us understand this in details. It depends on whether the company is the data controller or the data processor. The company which owns the personal data is the data controller, and if the company is processing data on behalf of the data controller then it is a data processor. Below given are the obligations for data controllers and data processors.
For Data Controller:
- As per Article 24 under the GDPR, data controllers are responsible to ensure that any processing activities follow the GDPR.
- It is the responsibility of the data controller to ensure that appropriate technical and organizational security measures are implemented to demonstrate the processing in accordance with the regulation, depending upon the data.
- Data controllers are obliged to inform the data subject and the data protection authority, in case of any breach in the case breach is likely to affect them.
- Also, it is the responsibility of the data controller to ensure that the data processor performs its data processing activities in compliance with the GDPR. For this, Data Protection Addendum/Agreements can get signed between the parties.
- Before processing any personal data, it’s data controller’s responsibility to perform data protection impact assessments DPIA to ensure compliance and take necessary steps.
- Data processor is obliged to process the personal data according to the data controller’s instructions specified in the contract/agreement signed by parties.
- The obligation of the data processor is to inform the data controller about the addition of any new sub-processor.
- Track of all the data processing activities must be kept by the data processor.
- After becoming aware of any data breach, data processors are obliged to inform the data controllers about it and assist them to mitigate/remediate that.
- Data processor must assist the data controller in DPIA Data Protection Impact Assessments
Apart from these individual responsibilities, both the data processor and the data controller are obliged to appoint a Data Protection officer DPO.