Duties and responsibilities of controllers and processors under GDPR
Data breach (Art. 33) : Notification of a personal data breach to the Supervisory Authority within no more than 72 hours, after having become aware of it.
Accountability (Art. 5, Para 2) : The principle of accountability states that controllers are responsible for demonstrating compliance with the principles relating to processing of personal data.
Data protection by design and by default (Art. 25) : Meet the principles of data protection by default and by design from the earliest stages of your activities involving personal data.
Technical and organizational measures (Art. 24, 25, 28, 30, 32) : Under GDPR, controllers and processors need to implement appropriate technical and organizational measures considering also the level of risk in relation to the processing of personal data. Pseudonymisation and encryption of personal data are some of the security measures indicated in the Regulation.
Processing personal data of children under 16 years of age (Art. 8) : In order for processing to be lawful, controllers and processors, dealing with personal data of children under 16 years of age, need to obtain a consent by the holder of parental responsibility over the child.
Data Protection Impact Assessment (“DPIA”) under GDPR (Art. 35, 36) : Data protection impact assessment could be required in case of:
– a systematic and extensive evaluation of personal information;
– processing on a large scale of special categories of data;
– systematic monitoring of publicly accessible area on a large scale.
*Prior consultation with the supervisory authority will be required if DPIA indicates high-risk processing.
Records of processing activities (Art. 30) : Keep records of processing activities, including detailed information about the controller, purposes of processing, categories of data subjects and of personal data, time limits for erasure, etc.)
Data Protection Officer (Section 4) : Data Protection Officer’s role aims to facilitate the compliance with the applicable data protection rules. Even if in certain cases the designation of the DPO is optional, the organizations could consider the appointment of a DPO as a best practice to demonstrate accountability and ensure compliance.