Both data controllers and data processors
can be 100 percent liable for a violation of the GDPR, if both were involved in the relevant data processing.
They are those entities hired by the data controllers to process personal data on their behalf.For example, the French company hired by IEBC in the last general election to host our data in the cloud and provide the results transmission system acted as the data processors
for the electoral commission.
With regard to processing by data processors
, the Law requires data controllers to engage only data processors
who provide sufficient guarantees regarding the application of technical and organisational measures.
Where you engage a data processor
(IT services, for example), you must update your contractual terms with them to include mandatory data processor
clauses for GDPR compliance.
A data processor
only processes personal data on behalf of the controller and is usually a third-party company.
The data processor
is the entity that actually carries out the processing, very often offshore as we in the Philippines know very well.
For instance, if a company sells widgets to consumers and uses an email automation company to email customers on its behalf and track their engagement activity data, the widget company is the data controller, and the email automation company is the data processor
. "Generally speaking, the GDPR treats the data controller as the principal party for responsibilities such as collecting consent, managing consent-revoking, enabling right to access, etc.
* The app provides the Data Protection Officer (DPO) with required visibility into GDPR compliance via a DPO Dashboard that monitors non-compliant contracts and data processors
across geographies and contract types.
* Direct Data Processors
Obligations: Another proposed feature of the GDRP is the introduction of some direct obligations on data processors
such as maintaining records of processing activities and security requirements.
That was the consensus of a number of computer software vendors and data processors
that were interviewed by Credit Union Times.
Liability for data breaches and violations of the law will be shared between data controllers (organizations that own the data) and data processors
(such as cloud providers that store the data) - and the penalties can be severe.
Reding is aware of the concerns raised in the media by the application of this law and insisted that "the rules are about empowering private individuals in relation to data processors
, not about erasing past events, rewriting history or restricting freedom of the press".