What Is A Data Controller?
- 1 What is a data controller for GDPR?
- 2 What is the difference between a data processor and a data controller?
- 3 Does GDPR apply to data controllers?
- 4 Is Google a data controller?
- 5 Who may ask a data controller?
- 6 What is an example of a data controller and processor?
- 7 What are data controllers in common?
- 8 Who is the data controller in Blockchain?
- 9 Who would not be a data controller?
- 10 Is GDPR data controller outside the EU?
- 11 Do I need to register as a data controller?
What is a data controller for GDPR?
What is a controller? – The UK GDPR defines a controller as: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Controllers make decisions about processing activities.
- They exercise overall control of the personal data being processed and are ultimately in charge of and responsible for the processing.
- Some controllers may be under a statutory obligation to process personal data.
- Section 6(2) of the Data Protection Act 2018 says that anyone who is under such an obligation and only processes data to comply with it will be a controller.
A controller can be a company or other legal entity (such as an incorporated partnership, incorporated association or public authority), or an individual (such as a sole trader, partner in an unincorporated partnership, or self-employed professional, eg a barrister).
- However, an individual processing personal data for the purposes of a purely personal or household activity is not subject to the UK GDPR.
- Example A GP surgery uses an automated system in its waiting room to notify patients when to proceed to a GP consulting room.
- The system consists of a digital screen that displays the waiting patient’s name and the relevant consulting room number, and also a speaker for visually impaired patients that announces the same information.
The GP surgery will be the controller for the personal data processed in connection with the waiting room notification system because it is determining the purposes and means of the processing. Example A firm uses an accountant to do its books. When acting for his client, the accountant is a controller in relation to the personal data in the accounts.
This is because accountants and similar providers of professional services work under a range of professional obligations that oblige them to take responsibility for the personal data they process. For example, if the accountant detects malpractice while doing the firm’s accounts he may, depending on its nature, be required under his monitoring obligations to report the malpractice to the police or other authorities.
In doing so, an accountant would not be acting on the client’s instructions but in line with his own professional obligations and therefore as a controller in his own right. If specialist service providers are processing data in line with their own professional obligations, they will always be acting as the controller.
In this context, they cannot agree to hand over or share controller obligations with the client. Some organisations don’t have a separate legal personality of their own – for example, unincorporated associations such as sports clubs or voluntary groups. In this case you should review the document which sets up and governs the management of that organisation.
This document should set out which individual(s) manage the organisation on behalf of its members and are likely to act as the controller or joint controllers, and how contracts may be entered into on behalf of the organisation. For convenience you may identify the organisation as a whole as the controller (eg you may use the club or group name in your privacy information for individuals).
Who is an example of a data controller?
Data Controllers – Data controllers are key decision-makers. They have the overall say and control over the reason and purposes behind data collection and the means and method of any data processing. Some data controllers may be governed by a statutory obligation to collect and process personal data.
- A private company or any other legal entity – Including an incorporated association, incorporated partnership, or public authority.
- An individual person – Such as a partner in an unincorporated partnership, a sole trader, or any self-employed professional.
What is the difference between a data processor and a data controller?
If you are just starting out on your GDPR journey, understanding the key differences between a data processor and a data controller is an important concept to grasp. In large part, the data controller is the one that collects or possesses the data, and the processor is a third-party engaged by the controller to do data processing.
Three definitions from Article 4 should help speed your understanding of processors and controllers along: A data controller determines the purposes and means of the processing of personal data. A processor engages in personal data processing on behalf of the controller. Processing involves any operation (or set) performed on personal data (such as, but not limited to, collection, structuring, storage, use or disclosure).
The organizations play different roles with respect to the data. The controller gets to call the shots. The processor follows the instructions of the controller and performs the operations requested. If the organizations are jointly determining processing, then they are considered joint controllers under the law.
Example of a Data Controller and Data Processor Here is an example to help reinforce the differences conceptually: A website collects personal data from a customer located in the European Union during the customer’s purchase of a product. The personal data includes identifying information such as the customer’s name, address and phone number.
After all, the product has to be shipped to the purchaser in Europe. The operator of the website uses a third-party warehouse to store and ship the products on its behalf. In order to make sure the packages get to the right place, the website operator sends the warehouse the customer’s name and address.
The warehouse then ships a package, including the purchased product, to the consumer. The website operator is the controller. They collect the data and determine how it is processed. The warehouse is the processor. They receive the data from the controller and use it to mail the package. There are some overlapping requirements in GDPR that apply to both data processors and data controllers.
However, there are a number of areas where the responsibilities are different. What are the key differences between a GDPR data processor vs. data controller? – The data controller gives instructions for processing to the data processor. The processor cannot process personal data except upon the instructions of the controller.
- If a processor unlawfully processes personal data without instructions, they may be considered a controller instead.
- The controller is responsible for implementing measures to ensure that processing occurs pursuant to GDPR.
- The processor is tasked by the text of the privacy law with helping the controller with certain tasks, including information necessary to demonstrate compliance.
The processor must also immediately tell the controller if an instruction violates GDPR. – The controller is responsible for carrying out Article 35 Data Protection Impact Assessments (DPIAs), if necessary. The processor is charged with assisting the controller in carrying out the obligation by Article 28.
– The controller can engage any processor that meets the vendor management requirements imposed by GDPR and agrees to an appropriate written contract for processing. The data processor may only engage processors that are approved or based upon the instructions of the controller. Improve Data Privacy for GDPR or CCPA with Clarip The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team. If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software,
Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software, Need to improve your GDPR compliance solution ? Clarip offers modular GDPR software that can fill in gaps in your privacy program.
Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
Which is the main responsibility of data controllers?
What is the role of the data controller? – The data controller, in essence, oversees how data is used, controls and supervises the duties of the data processor, and ensures that data is used, stored, and processed by the guidelines of the GDPR. They also oversee the process from obtaining data consent to enabling data usage for the required purposes.
Who is called as data controller?
A data controller is a person, company, or other body that determines the purpose and means of personal data processing (this can be determined alone, or jointly with another person/company/body). For the official GDPR definition of “data controller”, please see Article 4.7 of the GDPR.
Does GDPR apply to data controllers?
Guidance: A Practical Guide to Data Controller to Data Processor Contracts under GDPR – The General Data Protection Regulation (” GDPR “), has obligations for both data controllers (” Controllers “) and data processors (” Processors “). One such obligation is the obligation on Controllers and Processors to enter into a legally binding contract governing the processing of personal data when a Processor is engaged to process personal data on the instruction of a Controller (a ” Data Processing Contract “).
Is a data owner a data controller?
In the cloud context, the data controller is usually the cloud customer. From an international perspective, the data controller is also known as the data owner.
Is Google a data controller?
2) Keeping records of consents – Under the GDPR, data controllers are required to keep records of the consents given to process website users’ personal information. This also means, that if you are the data controller, you are responsible when the Data Protection Authorities ask for your website users’ cookie consents.
Is Microsoft a data controller?
General Data Protection Regulation (GDPR) Introduction The European Union’s General Data Protection Regulation (GDPR) sets an important bar globally for privacy rights, information security, and compliance. At Microsoft, we believe privacy is a fundamental right and that the GDPR is an important step forward in protecting and enabling the privacy rights of individuals.
Microsoft is committed to its own compliance with the GDPR, as well as to provide an array of products, features, documentation, and resources to support our customers in meeting their compliance obligations under the GDPR. Following is a description of Microsoft’s contractual commitments to its customers concerning personal data collected from enterprise software.
(For software licensed from Microsoft Commercial Licensing programs, refer directly to the Microsoft Products and Services Data Protection Addendum (DPA) at ) Does Microsoft make commitments to its customers with regard to the GDPR? Yes. The GDPR requires that controllers (such as organizations and developers using Microsoft’s enterprise online services) only use processors (such as Microsoft) that process personal data on the controller’s behalf and provide sufficient guarantees to meet key requirements of the GDPR.
- Microsoft provides these commitments to all customers of Microsoft Commerical Licensing programs in the DPA.
- Customers of other generally available enterprise software licensed by Microsoft or our affiliates also enjoy the benefits of Microsoft’s GDPR commitments, as described in this notice, to the extent the software processes personal data.
Where can I find Microsoft’s contractual commitments with regard to the GDPR? You can find Microsoft’s contractual commitments with regard to the GDPR (GDPR Terms) in the attachment to the DPA labeled “European Union General Data Protection Regulation Terms.” Those terms commit Microsoft to the requirements of processors in GDPR Article 28 and other relevant articles of the GDPR.
Microsoft extends the GDPR Terms to all customers of generally available enterprise software products licensed by us or our affiliates under Microsoft software license terms, effective as of May 25, 2018, regardless of the applicable version of the enterprise software, to the extent Microsoft is a processor or subprocessor of personal data in connection with such software, and so long as Microsoft continues to offer or support the version.
Support details can be found in the Microsoft Lifecyle Policy at, For clarity, different or lesser commitments may apply to beta or preview software, software that has been materially modified, or any software licensed by Microsoft or our affiliates that is not made generally available to the public or otherwise not licensed under Microsoft software license terms.
- Some products may collect and send to Microsoft telemetry or other data by default; product documentation provides information and instructions for how to turn off or configure such telemetry collection.
- What commitments are in the GDPR Terms? Microsoft’s GDPR Terms reflect the commitments required of processors in Article 28 of the GDPR.
Article 28 requires that processors commit to:
only use subprocessors with the consent of the controller and remain liable for subprocessors; process personal data only on instructions from the controller, including with regard to transfers; ensure that persons who process personal data are committed to confidentiality; implement appropriate technical and organizational measures to ensure a level of personal data security appropriate to the risk; assist the controller in its obligations to respond to data subjects’ requests to exercise their GDPR rights; meet the GDPR’s breach notification and assistance requirements; assist the controller with data protection impact assessments and consultation with supervisory authorities; delete or return personal data at the end of provision of services; and support the controller with evidence of compliance with the GDPR.
: General Data Protection Regulation (GDPR)
Who may ask a data controller?
The Right of Access (Article 15, Recitals 63 & 64 GDPR) The General Data Protection Regulation (GDPR), under Article 15, gives individuals the right to request a copy of any of their personal data which are being ‘processed’ (i.e. used in any way) by ‘controllers’ (i.e.
Is Microsoft a data controller or processor?
Breach notification FAQs – What constitutes a breach of personal data under the GDPR? Personal data means any information related to an individual that can be used to identify them directly or indirectly. A personal data breach is ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.’ What are your responsibilities as the controller? If a breach of personal data that is likely to result in a high risk to the rights and freedoms of individuals (such as discrimination, identity theft, fraud, financial loss, or damage to their reputation) occurs, the GDPR requires you to:
Notify the appropriate Data Protection Authority (DPA) within 72 hours of becoming aware of it—for example, after Microsoft notifies you. If you don’t notify the DPA within that time period, you’ll need to explain why to the DPA. This notice to the DPA is required even where there is a risk to individuals that is not likely to result in a high risk. Notify the data subjects of the breach without undue delay. Document the breach including a description of the nature of the breach—such as how many people were impacted, the number of data records affected, the consequences of the breach, and any remedial action your organization is proposing or took.
What are the responsibilities of Microsoft as the processor? After we become aware of a personal data breach, the GDPR requires us to notify you without undue delay. Where Microsoft is a processor our obligations reflect both GDPR requirements and our standard, worldwide contractual provisions.
- We consider that all confirmed personal data breaches are in scope; there is no risk of harm threshold.
- We will notify our customers whether the data breach was suffered by Microsoft directly or by any of our sub-processors.
- We have processes in place to quickly identify and contact security incident personnel you’ve identified in your organization.
In addition, all sub-processors are contractually obliged to report their own breaches to Microsoft, and provide guarantees to that effect. How will Microsoft detect a data breach? All our services and personnel follow internal incident management procedures to ensure that we take proper precautions to avoid data breaches in the first place.
However, in addition, Online Services have specific security controls in place across our platforms to detect data breaches in the rare event that they occur. How will Microsoft respond to a data breach? To support you for a breach of personal data Microsoft has: – Security personnel trained on the specific procedures to follow.
– Has policies, procedures, and controls in place to ensure that Microsoft maintains detailed records. This response includes documentation that captures the facts of the incident, its effects, and remedial action, as well as tracking and storing information in our incident management systems.
How will Microsoft notify me in the event of a data breach? Microsoft has policies and procedures in place to notify you promptly. To satisfy your notice requirements to the DPA, we will provide a description of the process we used to determine if a breach of personal data has occurred, a description of the nature of the breach and a description of the measures we took to mitigate the breach.
These checklists provide a convenient way to access information you may need to support the GDPR using Microsoft products. You can manage checklist items with Microsoft Purview Compliance Manager by referencing the Control ID and Control Title under Customer Managed Controls in the GDPR tile.
Does Microsoft make commitments to its customers with regard to the GDPR? Yes. The GDPR requires controllers (such as organizations using Microsoft’s enterprise online services) only use processors (such as Microsoft) that provide sufficient guarantees to meet key requirements of the GDPR. Microsoft has taken the proactive step of providing these commitments to all Volume Licensing customers as part of their agreements.
How does Microsoft help me comply? Microsoft provides tools and documentation to support your GDPR accountability. This includes support for Data Subject Rights, performing your own Data Protection Impact Assessments, and working together to resolve personal data breaches.
Only use subprocessors with the consent of the controller and remain liable for subprocessors. Process personal data only on instructions from the controller, including with regard to transfers. Ensure that persons who process personal data are committed to confidentiality. Implement appropriate technical and organizational measures to ensure a level of personal data security appropriate to the risk. Assist controllers in their obligations to respond to data subjects’ requests to exercise their GDPR rights. Meet the breach notification and assistance requirements. Assist controllers with data protection impact assessments and consultation with supervisory authorities. Delete or return personal data at the end of provision of services. Support the controller with evidence of compliance with the GDPR.
Under what basis does Microsoft facilitate the transfer of personal data outside of the EU? Microsoft has long used the Standard Contractual Clauses (also known as the Model Clauses) as a basis for transfer of data for its enterprise online services.
- The Standard Contractual Clauses are standard terms provided by the European Commission that can be used to transfer data outside the European Economic Area in a compliant manner.
- Microsoft has incorporated the Standard Contractual Clauses into all of our Volume Licensing agreements via the Product Terms,
For personal data from the European Economic Area, Switzerland, and the United Kingdom, Microsoft will ensure that transfers of personal data to a third country or an international organization are subject to appropriate safeguards as described in Article 46 of the GDPR.
In addition to Microsoft’s commitments under the Standard Contractual Clauses for processors and other model contracts, Microsoft continues to abide by the terms of the Privacy Shield framework but will no longer rely on it as a basis for the transfer of personal data from the EU/EEA to the United States.
What are the other Microsoft compliance offerings? As a global company with customers in nearly every country in the world, Microsoft has a robust compliance portfolio to assist our customers. To view a complete list of our compliance offerings including FedRamp, HIPAA/HITECH, ISO 27001, ISO 27002, ISO 27018, NIST 800-171, UK G-Cloud, and many others visit our compliance offering topics,
Transparency, fairness, and lawfulness in the handling and use of personal data. You will need to be clear with individuals about how you are using personal data and will also need a “lawful basis” to process that data. Limiting the processing of personal data to specified, explicit, and legitimate purposes, You will not be able to reuse or disclose personal data for purposes that are not “compatible” with the purpose for which the data was originally collected. Minimizing the collection and storage of personal data to that which is adequate and relevant for the intended purpose. Ensuring the accuracy of personal data and enabling it to be erased or rectified, You will need to take steps to ensure that the personal data you hold is accurate and can be corrected if errors occur. Limiting the storage of personal data, You will need to ensure that you retain personal data only for as long as necessary to achieve the purposes for which the data was collected. Ensuring security, integrity, and confidentiality of personal data, Your organization must take steps to keep personal data secure through technical and organizational security measures.
You will need to understand what your organization’s specific obligations are to the GDPR are and how you will meet them, though Microsoft is here to help you on your GDPR journey. What rights must companies enable under GDPR? The GDPR provides EU residents with control over their personal data through a set of ‘data subject rights’. This includes the right to:
Access information about how personal data is used. Access personal data held by an organization. Have incorrect personal data deleted or corrected. Have personal data rectified and erased in certain circumstances (sometimes referred to as the “right to be forgotten”). Restrict or object to automated processing of personal data. Receive a copy of personal data.
What are Processors and Controllers? A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A processor is a natural or legal person, public authority, agency, or other body, which processes personal data on behalf of the controller.
- Does the GDPR apply to Processors and Controllers? Yes, the GDPR applies to both controllers and processors.
- Controllers must only use processors that take measures to meet the requirements of the GDPR.
- Under the GDPR, processors face additional duties and liability for noncompliance, or acting outside of instructions provided by the controller, as compared to the Data Protection Directive.
Processor duties include, but are not limited to:
Processing data only as instructed by the controller. Using appropriate technical and organizational measures to protect personal data. Assisting the controller with data subject requests. Ensuring subprocessors it engages meet these requirements.
How much can companies be fined for noncompliance? Companies can be fined up to €20m or 4% of annual global turnover, whichever is greater, for failure to meet certain GDPR requirements. Additional individual remedies could increase your risk if you fail to adhere to GDPR requirements.
- Does my business need to appoint a Data Protection Officer (DPO)? It depends on several factors identified within the regulation.
- Article 37 of the GDPR states that controllers and processors shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offenses referred to in Article 10.
How much will it cost to meet compliance with the GDPR? Meeting compliance with the GDPR will cost time and money for most organizations, though it may be a smoother transition for those who are operating in a well-architected cloud services model and have an effective data governance program in place.
- How do I know if the data that my organization is processing is covered by the GDPR? The GDPR regulates the collection, storage, use, and sharing of ‘personal data’.
- Personal data is defined broadly under the GDPR as any data that relates to an identified or identifiable natural person.
- Personal data can include, but is not limited to, online identifiers (for example, IP addresses), employee information, sales databases, customer services data, customer feedback forms, location data, biometric data, CCTV footage, loyalty scheme records, health, and financial information and much more.
It can even include information that does not appear to be personal-such as a photo of a landscape without people-where that information is linked by an account number or unique code to an identifiable individual. And even personal data that has been pseudonymized can be personal data if the pseudonym can be linked to a particular individual.
Processing of certain “special” categories of personal data, such as personal data that reveals a person’s racial or ethnic origin, or concerns their health or sexual orientation, is subject to more stringent rules than the processing of “ordinary” personal data. This evaluation of personal data is highly fact-specific, so we recommend engaging an expert to evaluate your specific circumstances.
My organization is only processing data on behalf of others. Does it still need to comply with the GDPR? Yes. Although the rules differ somewhat, the GDPR applies to organizations that collect and process data for their own purposes (‘controllers’) as well as to organizations that process data on behalf of others (‘processors’).
This requirement is a shift from the existing Data Protection Directive, which applies to controllers. What specifically is deemed personal data? Personal data is any information relating to an identified or identifiable person. There is no distinction between a person’s private, public, or work roles.
Personal data can include:
Name Home address Work address Telephone number Mobile number Email address Passport number National ID card Social Security Number (or equivalent) Driver’s license Physical, physiological, or genetic information Medical information Cultural identity Bank details/account numbers Tax file number Work address Credit/Debit card numbers Social media posts IP address (EU region) Location/GPS data Cookies
Am I allowed to transfer data outside of the EU? Yes, however the GDPR strictly regulates transfers of personal data of European residents to destinations outside the European Economic Area. You may need to set up a specific legal mechanism, such as a contract, or adhere to a certification mechanism in order to enable these transfers.
Microsoft details the mechanisms we use in the Product Terms Terms. I have data retention requirements through compliance. Do these requirements override the right to erasure? Where there are legitimate grounds for continued processing and data retention, such as ‘for compliance with a legal obligation, which requires processing by Union or Member State law to which the controller is subject’ (Article 17(3)(b)), the GDPR recognizes that organizations may be required to retain data.
You should, however, make sure you engage your legal counsel to ensure that the grounds for retention are weighed against the rights and freedoms of the data subjects, their expectations at the time the data was collected, etc. Does the GDPR deal with encryption? Encryption is identified in the GDPR as a protective measure that renders personal data unintelligible when it is affected by a breach.
Therefore, whether or not encryption is used may impact requirements for notification of a personal data breach. The GDPR also points to encryption as an appropriate technical or organizational measure in some cases, depending on the risk. Encryption is also a requirement through the Payment Card Industry Data Security Standard and part of the strict compliance guidelines specific to the financial services industry.
Microsoft products and services such as Azure, Dynamics 365, Enterprise Mobility + Security, Office Microsoft 365, SQL Server/Azure SQL Database, Windows 10 and Windows 11 offer robust encryption for data in transit and data at rest. How does the GDPR change an organization’s response to personal data breaches? The GDPR will change data protection requirements and make stricter obligations for processors and controllers regarding notice of personal data breaches.
Under the new regulation, the processor must notify the data controller of a personal data breach, after having become aware of it, without undue delay. Once aware of a personal data breach, the controller must notify the relevant data protection authority within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, controllers will also need to notify impacted individuals without undue delay.
Additional guidance on this topic is being developed by the EU’s Article 29 Working Party. Microsoft products and services—such as Azure, Dynamics 365, Enterprise Mobility + Security, Microsoft Office 365, and Windows 10—have solutions available today to help you detect and assess security threats and breaches and meet the GDPR’s breach notification obligations.
What is an example of a data controller and processor?
What is a data controller or a data processor? The data controller determines the purposes for which and the means by which personal data is processed. So, if your company/organisation decides ‘why’ and ‘how’ the personal data should be processed it is the data controller.
- Employees processing personal data within your organisation do so to fulfil your tasks as data controller.
- Your company/organisation is a joint controller when together with one or more organisations it jointly determines ‘why’ and ‘how’ personal data should be processed.
- Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with the GDPR rules.
The main aspects of the arrangement must be communicated to the individuals whose data is being processed. The data processor processes personal data only on behalf of the controller, The data processor is usually a third party external to the company.
- However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking.
- The duties of the processor towards the controller must be specified in a contract or another legal act.
- For example, the contract must indicate what happens to the personal data once the contract is terminated.
A typical activity of processors is offering IT solutions, including cloud storage. The data processor may only sub-contract a part of its task to another processor or appoint a joint processor when it has received prior written authorisation from the data controller.
There are situations where an entity can be a data controller, or a data processor, or both. Controller and processor A brewery has many employees. It signs a contract with a payroll company to pay the wages. The brewery tells the payroll company when the wages should be paid, when an employee leaves or has a pay rise, and provides all other details for the salary slip and payment.
The payroll company provides the IT system and stores the employees’ data. The brewery is the data controller and the payroll company is the data processor. Joint controllers Your company/organisation offers babysitting services via an online platform.
- At the same time your company/organisation has a contract with another company allowing you to offer value-added services.
- Those services include the possibility for parents not only to choose the babysitter but also to rent games and DVDs that the babysitter can bring.
- Both companies are involved in the technical set-up of the website.
In that case, the two companies have decided to use the platform for both purposes (babysitting services and DVD/games rental) and will very often share clients’ names. Therefore, the two companies are joint controllers because not only do they agree to offer the possibility of ‘combined services’ but they also design and use a common platform.
What are the three main roles of a controller?
Key Takeaways –
- A controller acts as an overseer of a company’s financial health by taking ownership of the financial reporting process.
- A controller oversees internal control implementation, assists with budget preparation, ensures reporting compliance, and manages the transaction reporting process.
- Controllers often have at least a decade of relevant work experience and a degree, though many companies now seek candidates with a CPA license.
- Controllers vary from CFOs and VPs of Finance, as controllers are usually more involved in the daily transactional aspects of overseeing a company’s performance.
- According to Glassdoor, controllers made an average of $156,000 per year at the end of 2021.
What are data controllers in common?
‘In common’ is where data controllers share a pool of personal data, often disclosing data to each other but with each processing the data independently of the other(s).
Is a CEO a data controller?
In a recent German case, a court decided that a CEO was personally liable for a data privacy breach after they hired a detective to investigate possible criminal acts by the plaintiff. Given the potential risks, this case raises a number of issues for companies and their boards to consider.
- Data privacy debates in Europe This is one of a number of recent cases in Europe where the courts have dealt with the question about what is necessary for damages to be awarded under article 82 of the EU General Data Protection Regulation (GDPR).
- Article 82 provides that anyone who suffers non-material damage as a result of a GDPR infringement shall have the right to receive compensation for the damage suffered.
In a series of blog posts, we have taken a deep dive into the current case law on non-material damages for data privacy violations in Europe. We look at what the threshold for awarding non-material damages is, and the average amount that has been rewarded for non-material damages for data privacy breaches.
Other posts in this series: This debate continues as the German Higher Regional Court, Dresden (the court) raised the stakes for CEOs, as a broader interpretation of ‘data controller’ was applied and the CEO was held personally liable for data privacy violations. Case background A CEO, on behalf of the defendant company, commissioned a detective to investigate possible criminal acts committed by the plaintiff who had submitted a membership inquiry to the company.
The detective’s findings revealed that the plaintiff had been involved in criminal acts. When the company’s shareholders were informed of this, they rejected the membership application. The court ruled that the CEO hiring a detective violated data protection law and awarded the plaintiff €5,000 in non-material damages.
- In line with other German court rulings, the court found that data protection violations must not be trivial and that there is a threshold for awarding non-material damages,
- The sum of damages awarded also aligns with other German court rulings on damage claims.
- Personally liable, company consequences Notably, the court held the CEO personally liable for the data protection violations and the damage claim, alongside the company.
It classified the CEO as a data controller, which distinguishes him from an employee who is bound by instructions. Since the European Court of Justice has tended to apply a very broad interpretation of a data controller, it seems likely that other courts could follow suit.
Board members are generally at risk for personal liability for data privacy violations by their company but if more courts choose to follow this opinion, it may potentially increase the standards for duty of care even further. There is a particular risk where a board member or executive initiates the data processing underlying the data protection breach or where he/her participates in corresponding decisions or assignments.
A lack of oversight can also trigger personal liability. It is becoming increasingly more important for boards to manage risk in relation to the company’s data processing activities.
Who is data controller in SaaS?
The basics of GDPR compliance for B2B SaaS – If you are a B2B SaaS then you are most likely a Data Processor under the GDPR. Data Processors do not collect data directly from individuals, they process data on behalf of a Data Controller (your clients and prospects).
- A Data Controller is the company that owns the customer relationship and determines how user data will be collected and used, and importantly, which third parties they trust to share this data with as a data controller is liable for any breach of GDPR by a Data Processor.
- Data processors must take steps to ensure GDPR compliance.
These steps include:
Who is the data controller in Blockchain?
The user may be data controller – So, it is not just the business that may be the data controller. The user may also be the data controller if the user processes other people’s personal data. As a general rule, users who transfer currency from themselves to others or enter into smart contracts with others are data controllers in respect of the personal data on the other party processed in that connection and registered on the blockchain.
- The reason is that the users determine why the data are to be processed (to transfer currency to or enter into a contract with the other party).
- This might seem odd because the users have no influence on how the data are processed on the blockchain, but this view does seem to tally with the current, and rather wide, interpretation of the concept of data controller applied by the Court of Justice of the European Union (CJEU),
In some instances, these circumstances will be covered by the exemption applying to processing by natural persons in the course of a purely personal or household activity, which falls outside the scope of the GDPR. However, this applies only to private blockchains, on which the data are not made accessible to an indefinite number of people,
Who would not be a data controller?
Who is the data controller? – GDPR defines a data controller as: ” a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing. ” (e.g. a business obtaining customer or employee details, or a school, college or university holding student records.) The role of a data controller is to determine who shall be responsible for compliance with data protection rules and how data subjects can exercise their rights.
Putting it simply, they are the manager of personal data, they instruct the processor. The data controller will decide the purpose for which personal data is required and what personal data is necessary to fulfil that purpose. A data controller will act on their own autonomy. A party constrained in how they can handle personal data is less likely to be a data controller but could be a data processor.
The two simple questions to consider when identifying the data controller are:
- Why is the personal data being processed?
- Who proposed that personal data is processed?
Is data controller always a data collector?
Collecting Data – Only data controllers collect personal data from data subjects. Because of this, data controllers are also responsible for determining their legal authority to obtain that data. Data controllers need to establish a legal precedent for collecting the data using one of the six bases for data collection featured in the GDPR.
- What data they collect
- How they store the information
- How they use the information
- Whom they share the data with
- Whether they share the data with third parties
- When and how they delete the data
Any time a data processor becomes involved in collecting data, they become a data controller and all of the above responsibilities apply.
Is GDPR data controller outside the EU?
Does the GDPR apply outside the EU? – Yes, the GDPR applies outside the EU but under specific circumstances. The GDPR safeguards the personal data of EU citizens and residents, even if it’s transferred outside the EU borders. This means that this regulation applies to all EU-based and non-EU companies, that deal with the personal data of European residents and citizens.
An example would be an organization from the United States that gathers data from EU citizens. The legal obligation applies to the organization as if it has its head office in the EU, even if it doesn’t have to have any offices within the borders of any European Union country. This means if the company offers services or goods to EU citizens or tracks the behavior of consumers within the EU, it must comply with GDPR.
For example, the previous agreement known as Privacy Shield governed data transfers between the EU and the US. That has been struck down now, but is an example of how the GDPR applied outside the EU too.
Who may ask a data controller?
The Right of Access (Article 15, Recitals 63 & 64 GDPR) The General Data Protection Regulation (GDPR), under Article 15, gives individuals the right to request a copy of any of their personal data which are being ‘processed’ (i.e. used in any way) by ‘controllers’ (i.e.
Do I need to register as a data controller?
Registering as a data controller You have a statutory duty to process certain personal data to maintain the electoral register and/or for the purpose of administering an election. As such, in line with current data protection legislation, you are acting as a data controller.
Data controllers are required to register with the Information Commissioner’s Office (ICO). Advice from the ICO is that all data controllers will need to ensure that they are registered. This means that you must be registered separately to your council in your capacity as ERO and/or RO. The ICO have advised that if you are both an RO and an ERO one registration can cover both roles, and that where you have an additional role as a Regional RO, Police Area RO, Combined Authority RO etc, one registration can be used for all titles but this needs to be included in the name of the organisation when registering.
In Scotland, where the ERO and the Assessor are the same person, the ICO have advised that one registration can also cover both roles, but both titles need to be included in the name of the organisation when registering.
Do data controllers own data?
Am I the ‘controller’ or the ‘processor’? – Control, rather than possession, of personal data is the determining factor here. The data controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed.