Mervinskiy 495

Page 43

2.2. What are the possible roles for an SME in the processing operations? The obligations of an SME under the GDPR depend on what they do with the personal data they process. Three scenarios can be envisioned. First, an SME may act as a data controller (or controller) and process personal data by itself. Second, it may instruct another entity – a data processor (or processor) – to process personal data on its behalf, while still acting as a controller. Third, it may process personal data on behalf of another entity, and in this way act as a processor. Both controllers and processors must comply with specific rules,64 the ultimate responsibility for the processing of personal data and, in principle, can be held liable for damages arising from any infringement of the GDPR. Processors can only be held liable if they fail to comply with obligations of the GDPR specifically directed to them OR if they acted outside of, or contrary to, the lawful instructions of the controller.65

64

For example, processors must be able to demonstrate compliance, keeping records of processing activities; ensure the security of processing, implementing technical and organizational measures; nominate a DPO in certain situations; notify data breaches to the controller. See FRA/ECtHR/EDPS, Handbook on European data protection law (Publications Office of the European Union 2018), 101, 102. Compared with the previous Data Protection Directive, the obligations posed by the GDPR on processors have increased. See Gabel, D. and Hickman, T., ‘Chapter 11: Obligations of processors – Unlocking the EU General Data Protection Regulation’ in White & Case LLP (ed.), Unlocking the EU General Data Protection Regulation: A practical handbook on the EU’s new data protection law (5 April 2019) https://www.whitecase.com/publications/article/ chapter-11-obligations-processors-unlocking-eu-general-data-protection.

65

Van Alsenoy, B., ‘Liability under EU Data Protection Law: From Directive 95/46 to the General Data Protection Regulation’ (2016) 7 JIPITEC 271 para 1 https://www.jipitec.eu/issues/jipitec-7-3-2016/4506.

2. Personal data protection basics

but the responsibilities of the controller are higher. Controllers bear

41

Turn static files into dynamic content formats.

Create a flipbook

Articles inside

4.2. When and what monitoring activities are permissible?

12min
pages 156-174

3.7. A risk-based approach in practice

1hr
pages 99-153

the personal data of employees?

2min
pages 154-155

3.6. How can a risk-based approach benefit SMEs?

1min
page 98

in the GDPR?

1min
page 97

2.6. The obligation to appoint a Data Protection Officer (DPO

22min
pages 77-96

2.5. What are the data subjects’ rights?

13min
pages 64-76

operations?

8min
pages 43-50

processing?

11min
pages 53-63

2.1. What is personal data and its processing?

10min
pages 33-42

of personal data?

2min
pages 51-52

1.6. The EU funded initiatives

1min
page 31

1.3. The European Data Protection Supervisor (EDPS

1min
page 29

1.7. The International Association of Privacy Professionals (IAPP

0
page 32

Acknowledgements

1min
page 11

Liability and legal disclaimer

1min
page 12

Background

1min
page 19

1.2. The European Data Protection Board (EDPB

1min
page 28

Structure

3min
pages 20-21

1.1. National and regional Data Protection Authorities (DPAs

2min
pages 26-27

Method

1min
page 22

List of abbreviations

4min
pages 13-18
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.