The Data Controller and Controller Duties
As per the official definition of the Data Controller under GDPR defined in Article 4, ‘controller’ means the natural or legal person, public authority, agency or other bodies which, alone or jointly with others, determines the purposes and means of the processing of personal data;
The data controller is the person who determines the purposes for which the personal data will be processed and by which means. If your organization decides ‘Why?’ and ‘How?’ the personal data should be processed, then it is the data controller because it controls the processing of personal data.
In case, your company/organization in association with another company/organization jointly determines ‘Why?’ and ‘How?’ the personal data should be processed, then your company/ organization is a joint controller.
Duties/Responsibilities of the data controller under the GDPR
- Firstly, the controller must have to be in compliance with GDPR. (Follow our blog to implement GDPR)
- Compliance with all the data protection principles mentioned in Article 5 (1).
- Data Protection Impact Assessment is also the responsibility of the controller to demonstrate GDPR compliance.
- The controller must be able to demonstrate it’s GDPR compliance. The most common ways to do so are adhering to a code of conduct and asking a DPIA – Data Protection Impact Assessment for specific data processing activities
- As defined in Article 24 under GDPR, the controller shall implement appropriate technical and organizational measures to ensure that all the processing on personal data is in accordance with the regulation.
Place of the Data Controller in GDPR
Let’s take some examples to understand the concept of the controller and joint controller in a more detailed way:
Example: An “Employee E1” working with a product company “Qualitians” as “Product Owner” decides ‘Why?’ and ‘How?’ the personal data should be processed in the product. In this case, the company “Qualitians” is the data controller because Employee E1 is taking the decision on behalf of his company/organization, so the liability as a data controller will be with the company, not with the employee.