Module 3 - Controllers and Processors

Question 1

Who are the key stakeholders in a data processing relationship?

Answer 1

• DATA SUBJECT: Natural person subject to data processing activities.
• DATA CONTROLLER: Natural or legal person responsible for means and purposes of processing activities, who may act alone or jointly with other controllers.
• DATA PROCESSOR: Processes on behalf of the controller.
• DATA PROTECTION AUTHORITY: Supervisory authority with processing oversight in MS.

Question 2

What three data controllership relationships are possible?

Answer 2

• Controller-controller.
• Joint controllers.
• Independent controllers.

Question 3

What are the consequences of a processor acting outside the scope of their controller’s mandate?

Answer 3

• The processor becomes a controller in their own right, subject to the full compliance under GDPR (article 28).
• A controller may limit their liability for delinquent processors by under rigorous due diligence prior to engagement, including - reviewing the processor’s technical and security measures; checking any accreditations; appraising the processor’s data-handling knowledge; reviewing any retained sub-processors; investigating any breach actions or investigations.

Question 4

What considerations does article 28, GDPR require a processor to agree to under a data processing agreement?

Answer 4

• Ensuring persons involved in processing are committed to confidentiality obligations.
• Implementation of appropriate technical and security measures.
• Seeking controller consent to sub-processors, with flow-down of obligations.
• Deletion and return of personal data (upon controller instruction).
• Assisting the controller in supporting subject access right requests.
• Providing controller with information necessary to evidence compliance with GDPR.
• Audits undertaken by the controller or a third party.
• Processing on the controller’s documented instructions only.
• Assistance with data breach responses to supervisory authorities and affected data subjects.