The GDPR states that data
controller “determines the purposes and means of the processing”
whereas a data processor acts only and always “on behalf of the
data controller”.
Role of Data Controller
• Define
the purpose and means of collecting the personal data
• How
long the data is kept, and when to dispose of it (Define data retention policy)
• The
controller is required to implement privacy by design (PbD)
• System
should be designed according to the principle of data minimization, in other
words storing only data which is adequate, relevant and limited to what is
necessary
• The
controller is obliged to report the breach to the supervisory authority
• Controller
shall be liable for the damage caused by its processing to the data subject
• The
controller is responsible for all the principles regarding the processing of
personal data as they are mentioned in GDPR Article 5
• Ensure
the process to be as transparent as possible by creating and posting a Privacy
Policy that outlines cookies, the purpose of data
• Whether
to keep the data in-house or to share it with third parties. Also, figure out whom to share the data with
• Keep
up to date the purpose(s) of processing personal data
• Share
any information requested by the Supervisory Authority
Role of Data Processor
• Design,
create, and implement IT processes and systems that would enable the data
controller to gather personal data
• Use
tools and strategies to gather personal data
• Implement
security measures that would safeguard personal data
• Store
personal data gathered by the data controller
• Transfer
data from the data controller to another organization and vice versa
• Processors
are bound by the instructions given by the data controller.