Obligations of the controller under Regulation (EU) 2016/679

Protection and processing of personal data have been reformed with the adoption of the new Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which shall apply from May 25, 2018. The Regulation introduces a number of changes to the current legal framework, which concern all companies processing personal data of customers, staff and other counterparts. In order to comply with the requirements of the Regulation, controllers shall prepare their business both legally and technically.

This article aims to provide information on the obligations of controllers under the General Data Protection Regulation, and it is important to note that some of these obligations are not new but are regulated in the current Personal Data Protection Act.

Before describing the obligations of the controllers, a definition of the terms “personal data”, “processing of personal data” and “controller” shall be provided. According to the definition given in the General Data Protection Regulation, personal data means any information relating to an identified or identifiable natural person (‘data subject’). This is most often the name, address, phone number, e-mail, etc. Processing  means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

I. Lawfulness of the processing

In the first place, it is extremely important to comply with the principle of lawfulness of processing. Processing shall be lawful only if and to the extent that at least one of the following terms applies: –  the data subject has given consent to the processing of his or her personal data for one or more specific purposes; – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; – processing is necessary in order to protect the vital interests of the data subject or of another natural person; – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

II. Fairness and transparency

The principles of fairness and transparency of processing require the data subject to be informed of the existence of a processing operation and its purposes. The principles of fair and transparent processing are related to the controller’s obligation to provide information, which obligations will be discussed in detail in this Publication.

III. Purpose limitation

The controller is obliged to collect personal data for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.

IV. Data minimization

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

V. Accuracy

Persona data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

VI. Storage limitation

The controller undertakes to keep the personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject.

VII. Accountability

The controller undertakes to ensure compliance with the basic principles of the Regulation and to prove that the processing of personal data is in compliance with the Regulation. In order to demonstrate compliance with the Regulation, the controller is required to keep records of the processing activities for which he is responsible.

VIII. Integrity and confidentiality

The controller must process the personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

IX.Obligation to provide information where personal data are collected from the data subject

Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with the identity of the controller, the purposes of the processing, the recipients of the personal data, the period for which the personal data will be stored and others,  in a brief, understandable and easily accessible form, in clear and simple language. The information shall be provided in writing or otherwise, including, where appropriate, by electronic means. If the data subject has requested this, the information may be given orally, provided that the identity of the data subject is proven by other means. The information is provided free of charge.

Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose.

X.Obligation to provide information where personal data have not been obtained from the data subject 

Where personal data have not been obtained from the data subject, the controller must  provide the data subject with, provide the data subject with the identity of the controller, the purposes of the processing, the recipients of the personal data, the period for which the personal data will be stored and others,  in a brief, understandable and easily accessible form, in clear and simple language. The information shall be provided in writing or otherwise, including, where appropriate, by electronic means. If the data subject has requested this, the information may be given orally, provided that the identity of the data subject is proven by other means. The controller shall provide the information: –  within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed; – if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject ; – if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed. The information is provided free of charge.

Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose.

XI. Controller’s obligation is to provide data subjects with access to personal data related to them

The Controller undertakes to provide within one month of receiving a request from the data subject with confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data .

Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

The time limit for providing the above information, which is one month from the receipt of the request by the data subject, may be extended by two months. The controller shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If the controller fails to act on the data subject’s request, the controller shall notify the data subject without delay and at the latest within one month of receipt of the request for the reasons not to take action and the possibility of filing of a complaint to a supervisory authority and seeking of judicial protection. The information is provided free of charge.

XII. Obligation to rectification

The Controller   undertakes to rectify inaccurate personal data related to him at the request of the data subject without undue delay (within one month). Given the purposes of processing, the data subject has the right to complete incomplete personal data, including by adding a statement. The period may be extended by two months. The controller  shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If the controller fails to act on the data subject’s request, the controller shall notify the data subject without delay and at the latest within one month of receipt of the request for the reasons not to take action and the possibility of filing a complaint to a supervisory authority and seeking of judicial protection. The recrification is free of charge.

XIII. Obligation to erasure

The Controller undertakes to erasure personal data related to the data subject without undue delay (within one month) at the request of the data subject. The period may be extended by two months. The controller shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If the controller fails to act on the data subject’s request, the controller shall notify the data subject without delay and at the latest within one month of receipt of the request for the reasons not to take action and the possibility of filing a complaint to a supervisory authority and seeking of judicial protection. The erasure is free of charge.

The Controller erasures the personal data if one of the following grounds applies: – the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; – the data subject withdraws consent on which the processing is based; – the data subject objects to the processing pursuant to Article 21(1) of the Regulation 2016/679 and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing on the purposes of direct marketing; – the personal data have been unlawfully processed; – the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; the personal data have been collected in connection with the provision of information services to a child.

Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal dataXIV. Obligation to restriction of processing

Restriction of processing means marking of stored personal data in order to limit its processing in the future. The Controller undertakes to limit the processing of the data within one month at the request of the data subject. The period may be extended by two months. The controller shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If the controller fails to act on the data subject’s request, the controller shall notify the data subject without delay and at the latest within one month of receipt of the request for the reasons not to take action and the possibility of filing a complaint to a supervisory authority and seeking of judicial protection. Restriction of processing is free of charge.

The restriction of processing  should be made where one of the following grounds applies : – the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; –  the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; – the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; – the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

XV. Notification obligation regarding rectification or erasure of personal data or restriction of processing

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

XVI. Obligation to data portability

The Controller is obliged to provide the data subject with the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and processing is based on consent pursuant or on a contract pursuant carried out by automatic means.

The Controller undertakes to transfer the data within one month at the request of the data subject. The period may be extended by two months. The controller  shall inform the data subject of any such extension within one month of receipt of the request, indicating the reasons for the delay. If the controller fails to act on the data subject’s request, the controller shall notify the data subject without delay and at the latest within one month of receipt of the request for the reasons not to take action and the possibility of filing a complaint to a supervisory authority and seeking of judicial protection. The transfer is free of charge.

XVII. Obligation to discontinue data processing

The Controller is obliged to discontinue the processing of personal data in the following cases, unless it proves that there are convincing legal grounds for the processing that take precedence over the interests, rights and freedoms of the data subject or for the establishment, or the protection of legal claims.

– processing is necessary for the performance of a task of public interest or in the exercise of official authority conferred on the controller;

or

– processing is necessary for the legitimate interests of the controller or of a third party, except where the interests or fundamental rights and freedoms of the data subject that require the protection of personal data are of particular interest to such interests, in particular where the data subject is a child .

The controller undertakes to discontinue the processing of personal data for the purposes of direct marketing when the data subject objects to processing for direct marketing purposes.

XVIII. Obligation to provide information on the right to object to the processing of personal data

The controller undertakes to provide the data subject with the data subject’s right to object to the processing of personal data at the latest at the time of first contact with the data subject which is provided by notification in a clear and separate way from any other information.

XIX. Obligation to provide information on the right to object to the processing of personal data for the purposes of direct marketing

The Controller is obliged to notify the data subject about the existence of a right to object to the processing of personal data for direct marketing purposes. The Controller  is obliged  to provide information on the right of the entity to object to the processing of personal data for the purposes of direct marketing at the latest at the time of first contact with the data subject communicated in a clear manner and separately from each other information. The Controller is obliged to discontinue the processing of personal data for the purposes of direct marketing when the data subject objects to processing for direct marketing purposes.

XX. Obligation to ensure security of processing by introducing technical and organizational measures

The Controller is obliged to put in an appropriate place technical and organizational measures to ensure and to be able to demonstrate that the processing of personal data is carried out in accordance with the Regulation. These measures shall be reviewed and, if necessary, updated.

Such measures as:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
  • minimizing data: only processing personal data that is required for each specific purpose of processing. This obligation relates to the volume of personal data collected, the level of processing, the storage period and their availability. In particular, such measures shall ensure that, by default, personal data are not accessible to an unlimited number of individuals by default without the intervention of the subject of data;
  • cooperating with the Supervisory Authority for fulfilling the obligations arising from the Regulation;
  • limiting the number of individuals who have access to the data.

XXI. Obligations to process data on behalf of the controller

When processing is performed on behalf of a Controller, he is required to use only personal data processing that provide sufficient safeguards to implement appropriate technical and organizational measures in such a way that the processing proceeds in accordance with the requirements of the Regulation and provides protection the rights of data subjects. The data processor may not include any other processor without the prior written permission of the controller. In the case of a general written authorization, the processor always informs the controller of any planned changes to include or replace other data processors, thereby enabling the controller to challenge those changes.

Processing by the processor of personal data shall be governed by a contract or other legal act under Union law or the law of a Member State which is binding on the controller of the data controller and which governs the subject matter and duration of the processing, the processing, the type of personal data and the categories of data subjects and the obligations and rights of the controller.

XXII. Obligations to maintain records of processing activities

Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information. The records shall be in writing, including in electronic form. The obligations  shall not apply to an enterprise or an organisation employing fewer than 250 persons. The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.

XXIII. Obligation to maintain records of all categories of processing activities

Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller. The records shall be in writing, including in electronic form. The obligations  shall not apply to an enterprise or an organisation employing fewer than 250 persons. The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.

XXIV. Obligation to cooperate with the Supervisory Authority

The controller and the personal data processor shall be obliged to cooperate with the supervisory authority in the performance of its obligations.

XXV. Obligation to notify the supervisory authority of a personal data breach

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance.

XXVI. Obligation to notify the data subject of the personal data breach

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

XXVII. Obligation to compensation for suffered damage

The Controller or the personal data processor is required to compensate for any damage that a person may suffer as a result of data processing that violates the Regulation.

XXVIII. Data protection impact assessment

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.

XXIX. Obligation to prior consultation

The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

XXX. Obligation to designation of the data protection officer

The controller and the processor shall designate a data protection officer in any case where:

  • the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or membership of trade unions, and the processing of genetic data, biometrics for the sole purpose of identifying an individual, health data, or data on the sexual life or sexual orientation of the individual) and personal data relating to criminal convictions and offences.

The controller and the personal data processor shall ensure that the Data Protection Officer is adequately and timely involved in all matters relating to the protection of personal data. The controller and the personal data processor shall assist the Data Protection Officer in the performance of his tasks exhaustively listed in Article 39 of the Regulation by providing the resources necessary for the performance of these tasks and access to personal data and processing operations as well as maintain its expertise. The controller and the personal data processor shall ensure that the Data Protection Officer does not receive any instructions in connection with the performance of these tasks. The Data Protection Officer may not be relieved of office or sanctioned by the controller or the personal data processor for the performance of his or her tasks. The Data Protection Officer shall be accountable directly to the highest management level of the controller or the processor of the personal data.

XXXI. Obligation to train staff to respond to events that threaten the security of personal data

The Controller is obliged  to train the staff  to respond to events that threaten the security of personal data.

XXXII. Obligation to train staff on the mechanism of processing of personal data and to protect the data in the maintained registers containing personal data

The  Controller  is obliged to train the staff on the mechanism of personal data processing and their protection in the maintained registers containing personal data.

 

Legal Disclaimer: This material prepared by Krasimira Kadieva aims to provide information about the obligations of the controller  under Regulation (EU) 2016/679. It does not constitute a legal opinion and cannot be interpreted as an individual consultation on any concrete facts or circumstances. The advice of a legal specialist should be obtained for specific questions and situations. For more information on the above mentioned issues and individual consultations, please contact Krasimira Kadieva at 00359 882 308 670 or make an inquiry using the contact form of this website.