GDPR (3) Data processing and related roles
In order to assess what the GDPR will mean for your own business or job, it is not enough to know which data are classified as personal data. You also need to have a good understanding of what the law means exactly by the term ‘data processing’. It is also important to be aware of the different roles that parties play in the processing of personal data. This is because the role you play determines your responsibilities and obligations to a large extent.
Data processing must be viewed in very broad terms. Obviously it includes collecting data about contact details, interests, purchasing behaviour and website visits. Such data are used in marketing or sales campaigns.
However, data processing includes much more than that. The actual activity does not matter: any activity involving personal data is a form of data processing to which the GDPR applies. Looking up and viewing data, storing data, deleting and erasing data, and transporting data are just some of the activities that are considered data processing under the law. It is important to interpret data processing sufficiently broadly when compiling lists of data processing activities that are performed in-house or entrusted to third parties. A firm which provides payroll services to third parties obviously processes personal data, but so does the supplier which collects waste paper from your business if that waste paper includes personalised documents containing personal data. The private use of personal data by individuals does not, however, come within the scope of the GDPR. Neither does the work of the courts and the law enforcement agencies, as their work is governed by different legislation.
Privacy legislation identifies a number of roles with respect to data processing. The most important roles are those which the GDPR defines as the ‘Data Controller’ and ‘Data Processor’.
The Data Controller is the party that takes the initiative to collect (or arrange the collection of) personal data and keep such data, with the intention of processing the data in some way. The Controller must record the specific purpose of the data processing and demonstrate that it has legitimate grounds for this. It must decide in advance which personal data are required in order to fulfil that purpose. From a legal perspective, it is crucial that the data collected and processed is restricted to what is necessary for fulfilling the purpose. This is because not processing data is the best way to protect privacy. The Controller also guarantees the security of the collected data. The Controller ensures that the data are available, that their integrity is maintained at all times (i.e. that they are not wrongly changed or erased) and that there are no breaches of confidentiality. A crucial aspect in this context is that the data must be used exclusively for the purpose for which they were collected.
The role of Data Processor, by contrast, involves acquiring personal data from the Controller and processing the data in accordance to the Controller’s instructions, depending on the purposes for the processing. The Controller can take on this role, of course. If the Controller decides to use a third party, however, the third party will only play the role of Processor. This fundamental distinction forms the basis for the statutory obligations. Crucially, the GDPR, in contrast to previous privacy legislation, also imposes explicit obligations on the Processor.
It is important to realise that clearly defining the allocation of tasks is not always easy. For example, it is perfectly possible that a Processor may collect the personal data. This is because a Controller is able to instruct a Processor to collect, enrich and analyse personal data as part of its work. These are all examples of what the law means by the ‘processing of personal data’. The fact that a party collects data does not automatically make it the Controller. Conversely, the client of a Processor remains responsible for the data even when the data collection activities are outsourced to the Processor.
In future, it will be necessary to have a contract that clearly sets out the roles that the client and contractor play in data processing. It is a good idea to make sure this matter receives constant attention. The new law assumes that data processing always takes place in the context of a data processing contract that clearly sets out the mutual obligations with regard to data privacy. However, you need to be aware that your responsibilities are related to the role you actually play, regardless of whether this role is covered by a contract or not. This means that as Processor you need to make sure you do not assume any responsibilities that are not in keeping with your role. The most important and obvious restriction is that you must never use the data that the Controller has entrusted to you for any purpose other than the purpose specified in the Controller’s instructions.
Finally, the law clearly defines a third role, that of the Data Subject. The Data Subject is the individual to whom specific personal data relate. It is principally the Data Subject who enjoys legal protection under the law. The GDPR explicitly gives Data Subjects a number of rights concerning their personal data. These rights are fundamental to the new Regulation. First, the GDPR requires that Data Subjects are given clear and transparent information on the processing of their data. In addition, they also have the right to what is usually summed up as ‘fair use’ of the data. This encompasses the legal acquisition and processing of the data as well as taking care to ensure the data remain accurate, are adequately protected and are only used for the stated purpose. Data Subjects are entitled to receive information about all these aspects. Finally, Data Subjects are, to a large extent, able to control their individual data (they can retrieve, correct and erase their data and stop their data from being processed).
The rights and duties associated with each role will be discussed in detail in a future instalment of this blog.
Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (ISACA) and Certified Information Privacy Professional/Europe or CIPP/E (IAPP).
If you have any questions or comments, please write to us at firstname.lastname@example.org.