- Data Controller
The data controller determines the purposes for which and the means by which personal data is processed. So, if your company/organisation decides ‘why’ and ‘how’ the personal data should be processed it is the data controller. Employees processing personal data within your organisation do so to fulfil your tasks as data controller.
- Data Processor
The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to the company. However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking.
The duties of the processor towards the controller must be specified in a contract or another legal act. For example, the contract must indicate what happens to the personal data once the contract is terminated. A typical activity of processors is offering IT solutions, including cloud storage. The data processor may only sub-contract a part of its task to another processor or appoint a joint processor when it has received prior written authorisation from the data controller.
There are situations where an entity can be a data controller, or a data processor, or both.
- Data Breach
- Natural Person
- Supervisory Authority
- Right to data subject
- Personal Data
- Right to erasure (to be forgotten)
- Right to be informed
- Right to restrict processing
- Data Protection Impact Assessment (DPIA)
- Legal Person
- Special categories of data
- Personally Identifiable Information (PII)
- Data Protection Officer (DPO)
- Legitimate Interests