Controller and processor under the GDPR: you’re in it together!

The way it was…
Under the Dutch Personal Protection Act (Wet Bescherming Persoonsgegevens), the obligations relating to the protection of personal data were, strictly speaking, placed with the data controller. The processor had no official responsibility, despite the fact that even then the controller was in many cases dependent on the activities and procedures of the processor, particularly in reference to the most salient issue: data security.

The way it is…
Now that the GDPR has gone into effect, this has changed. The assumption remains that the data controller has primary responsibility for the processing of personal data collected and processed for a specific purpose. However, the GDPR has introduced a number of obligations for the processor. The processor has been given shared responsibility for the processing of the personal data it processes at the instruction of the data processor.

Partnering on data protection
This means that now more than ever it is important for the controller and the processor to work together to keep personal data safe. Data protection has to be founded on a data processing agreement contracted between the parties, a document that regulates the relationship between them. It will contain provisions governing a number of aspects, such as the object of the processing, the nature of the personal data, security, sub-processors, data breaches on the part of the processor, and damages and penalties and how these are to be apportioned between the parties. But the parties’ cooperation must go further than this. The processor is obliged to support the controller in the performance of its tasks and responsibilities under the GDPR. This includes not just security issues; for example, whenever a data subject wishes to know what personal data concerning them is being processed, the processor must help the controller in answering the query.

Step-by-step
Step 1: Identify what personal data the processors are processing/the controller(s) for which personal data is being processed.
Step 2: Sign a data processing agreement that contains all necessary provisions.
Step 3: Maintain regular contact with the Data Protection Officer/Privacy Officer of the processor and/or controller.

Our Team Privacy will be happy to advise you on the GDPR and its impact on your organisation, including drafting and negotiating your data processing agreements. If you would like to know more about the possibilities, contact one of our Team Privacy personnel for a free, no-obligation quote.

3813 
How may I be of service to you
Monique Schreurs
Partner
Most read
  • “Best of the test” not permitted if...
  • 7th Edition of the German-Dutch Trade Day
  • A simplified preservation of bank accounts in Europe
  • AP issues cease and desist order to Wi-Fi tracker
  • Average speed checks do not infringe on road users’

Wij gebruiken cookies om u de beste online ervaring te bieden. Door akkoord te gaan, accepteert u het gebruik van cookies in overeenstemming met ons cookiebeleid.

Privacy Settings saved!
Privacy-instellingen

Wanneer u een website bezoekt, kan het informatie in uw browser opslaan of ophalen, meestal in de vorm van cookies. Beheer hier uw persoonlijke Cookie Services.

Deze cookies zijn nodig om de website te laten functioneren en kunnen niet worden uitgeschakeld in onze systemen.

In order to use this website we use the following technically required cookies
  • wordpress_test_cookie
  • wordpress_logged_in_
  • wordpress_sec

Omwille van de prestaties gebruiken we Cloudflare als een CDN-netwerk. Hiermee wordt een cookie "__cfduid" opgeslagen om beveiligingsinstellingen per client toe te passen. Deze cookie is strikt noodzakelijk voor de beveiligingsfuncties van Cloudflare en kan niet worden uitgeschakeld.
  • __cfduid

Decline all Services
Accept all Services