Accountability and enforcement are essential for successful protection of personal data. Along with identifying the party responsible for complying with the law, the responsibilities and duties to ensure compliance and defend individual rights, as well as actions to be taken in the event of failure to do so, should be identified.
Both data controllers and processors must have the roles, duties and responsibilities specified by law. Connections between controllers and processors should also be covered by law, with specific expectations for each party. Records management, security and data breach reporting rules must also apply to controllers and processors.
Both data controllers and data processors are subject to the requirements of the General Data Protection Regulation. One such requirement is that whenever a controller and a processor engage a processor to process personal data at the direction of the controller, the legally binding to enter into a contract (“Data Processing Agreement”).
The definition of “processor” under the GDPR has not changed. The GDPR, on the other hand, assigns obligations to both controllers and processors in terms of compliance, whereas the Directive generally applies only to controllers. If either or both of these parties violate the new EU data protection law, they will be directly prosecuted and face severe fines. The direct legal requirements established by the GDPR are important for organizations acting as processors. However, they are equally important to organizations that employ processors who act as controllers and process personal data on their behalf. This blog explains the obligations of data processors and controllers under both the GDPR and DPDP bills.
A data controller is described in Article 4(7) of the GDPR as follows:
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where these purposes and means are established by Union or Member State law, specific requirements regarding the controller or its appointment may be prescribed by such law.
A data processor is defined in Article 4(8) of the GDPR as follows:
A natural or legal person, government agency, agency or other entity that processes personal data on behalf of a controller is referred to as a “processor”.
A data processor is defined in Article 2(7) of the Digital Personal Data Protection Bill as:
“An individual who processes personal data on behalf of a data trustee is called a data processor.”
What should organizations do to be compliant:
Organizations acting as processors or controllers employing processors should thoroughly evaluate the criteria for selecting processors. In particular, you should examine your current data processing agreement to determine if any changes are necessary. When creating a new data processing agreement, you must comply with the GDPR regulations.
Each organization acting as a processor must also:
- We refer to data processing tasks that act as processors.
- Confirm that you are aware of your obligations under the GDPR as a processor.and
- Ensure that appropriate procedures and models are in place to identify, analyze and, to the extent necessary, promptly notify relevant controllers of data breaches.
Obligations of processors and controllers under GDPR:
The additional compliance obligations arising from GDPR are expected to significantly increase processor costs. This is likely passed on to the client. Moreover, as processors become more finicky about the terms of their agreements and the scope of the controller’s orders, we expect that processing agreements will become more difficult to negotiate. Organizations acting as processors or controllers employing processors should carefully consider the regulations regarding the employment of processors. In particular, you should assess any necessary adjustments to your current data processing agreements. New data processing agreements must comply with GDPR regulations.
It is the responsibility of data controllers and processors to take all necessary measures to ensure legal compliance. Complying with the law is not sufficient to demonstrate that the processing has been carried out in compliance with the law. Instead, you should clearly indicate how you are compliant. Data controllers and processors must implement appropriate organizational and technical safeguards to ensure that processing is lawful and can be proven.
Confidentiality and Integrity:
Both data controllers and data processors have the duty and responsibility to protect the security of their infrastructure and data. In addition, they must be obligated to notify and investigate breaches and alert the appropriate supervisory authorities and affected data subjects.
Responsibility for protection must extend to encompass the infrastructure and devices used in all stages of processing, including production, collection, retention and sharing. Legislation should include security precautions beyond simply storing the data itself.
Data controller:
The data controller is the primary person responsible for ensuring customer rights and privacy, managing access and obtaining cookie consent. They have more autonomy in decision-making, but are also responsible for errors.
According to Article 5 of the GDPR, data controllers are accountable for the accuracy, legitimacy and fairness of their information. We also need to protect the privacy, accuracy and storage limits of personal data. To avoid penalties and GDPR fines, a data controller should only select data processors that comply with her GDPR.
Data processor:
To become a data processor, two basic requirements must be met. It is a separate legal entity from the data controller and has to process personal data on behalf of the controller.
The data is not within the control or ownership of data processors. Therefore, it is not possible to change the purpose or the method of processing. Data processors typically provide IT solutions such as cloud storage. A data processor may also delegate some of its tasks to other processors or appoint joint processors if the data controller has given its prior written consent.
Processor Obligations Under the DPDP Bill:
The long-awaited Digital Personal Data Protection (DPDP) Bill 2022 was released by the Ministry of Electronics and Information Technology on November 18, 2022.
The DPDP bill requires that personal data be obtained in India online, (ii) offline and subsequently converted into digital form, (iv) outside India, and (v) outside India, but not used for services or products. relates to personal data processed in connection with activities such as the provision of A data principal in India.
The DPDP bill requires data processors to protect the personal data they store or control by taking reasonable security measures to avoid personal data breaches, even if the obligations with respect to the data principal always remain with the data trustee. stipulate that it is necessary.
A data trustee may only employ a data processor to process personal data on behalf of that entity. This should only be done with the consent of the data her principal and in accordance with a legally binding contract between the data processor and the data trustee.
Such data processor may, only to the extent permitted by the agreement with the data trustee, contract, employ, employ, or engage another data processor to process personal data under a valid contract. can.
Under the Digital Personal Data Protection Bill, data processors who process personal data on behalf of other organizations are subject to the following separate statutory obligations (Article 9):
- Please take appropriate security measures to avoid any compromise of personal data in your possession or control.
- Notify the Board and each affected data principal in the event of a personal data breach.
- We subcontract processing operations where permitted by our contract with the data trustee.
Contractual agreements involving mutual liability for commitments between data trustees and data processors are not prohibited by law.
Conclusion:
Since data controllers and data processors have different jobs and duties, it is very important to know the functions they perform. For a particular company and its service provider, this separation may not be so obvious. For this reason, the GDPR and DPDPB establish various tasks and duties required of data controllers or data processors. The roles and duties of data controllers and data processors are more important than ever as companies work to maintain GDPR compliance. Compliance depends on your ability to recognize the difference between the two and how they affect your obligations depending on the function your company performs in a given situation.
Updating your privacy is easy once you understand it. Once they’re ingrained in your behavior, they can help protect you from common fraud tactics.
