Loyens & Loeff
Date
25-11-2016

GDPR Update - (new) obligations of the data controller

This update aims to provide you with a practical overview of the most relevant changes resulting from the General Data Protection Regulation (GDPR), applicable as from 25 May 2018. This month’s issue discusses the (new) obligations of the data controller.

The (new) obligations of the data controller under the GDPR:

  1. Concept of data controller
  2. Records of processing activities
  3. Data protection impact assessment
  4. Privacy by Design and Privacy by Default
  5. Appointment of a data protection officer
  6. Notification of a data breach to the supervisory authority and data subject
  7. What do these changes mean for your organisation and how can you prepare for them?

 

  1. Concept of data controller
    The concept of the data controller remains the same under the GDPR as it was under the Data Protection Directive (Directive 95/46/EC). The data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In other words, the data controller is the one who decides what happens with what personal data for which purposes.

  2. Records of processing activities
    The current obligation under the Data Protection Directive to notify certain data processing activities to the national data protection authorities (DPA) will no longer apply. Under the GDPR, instead, a data controller is obliged to maintain an internal record of all processing activities carried out under its responsibility. This record must include specific details on each processing activity including information on (among others):

    - the categories of personal data, data subjects and recipients of the data;
    - the purposes of the data processing activities;
    - the applicable retention periods; and
    - the technical and organisational security measures taken.

    This means that a data controller must identify all its activities involving personal data and keep record of all details thereof. Processing activities that were exempted from the obligation to notify the DPA under the Data Protection Directive, must be included in the record as well. The data protection authorities may request access to the internal record of processing activities.

    There are certain exceptions to the obligation to maintain a record. This is not compulsory for organisations employing less than 250 persons. However, if the processing activities of such organisations (i) are likely to result in a risk to the rights and freedoms of the data subjects, (ii) are not occasional, or (iii) include so called ‘special’ (sensitive) categories of personal data, the obligation applies nevertheless. In our view, for example, small health care organisations or e-marketing companies (employing less than 250 persons) are likely to have to maintain a record of processing activities.

  3. Data protection impact assessment
    The GDPR introduces the obligation for data controllers to carry out a data protection impact assessment (DPIA) prior to commencing a processing activity in certain cases. Such DPIA is in particular required when a processing activity may expose data subjects to a high privacy risk due to the scope or nature of the processing activity. A DPIA is, for example, required in the case of profiling, processing ‘special’ (sensitive) categories of personal data on a large scale or in the event of systematic monitoring of a publicly accessible area.

  4. Privacy by Design and Privacy by Default
    The data controller must consider the principles and obligations as laid down in the GDPR (such as data minimisation and pseudonimisation) as from the early stage of designing the processing activities. The data controller also has to implement appropriate measures to ensure that, by default, only personal data that are necessary for each specific processing purpose are processed. For example, software settings of applications used to process personal data should – as much as possible – unable the excessive processing of personal data.

  5. Appointment of a data protection officer
    Where a data protection officer (DPO) can currently be appointed on a voluntary basis, the GDPR requires that all public authorities or bodies designate a DPO. Private companies must appoint a DPO when their core activities consist of the processing of ‘special’ (sensitive) personal data or the monitoring of data subjects on a large scale and on a regular and systematic basis. There is no guidance (yet) on which (type of) companies must appoint a DPO, however, it is likely that health care institutions and investigation agencies must designate a DPO.

    One DPO can be appointed for a group of companies. The DPO may be employed by the data controller or can be a contractor, but he must be able to perform his tasks independently. The DPO must be qualified and have expert knowledge of data protection laws and practices.
  6. Notification of a data breach to the supervisory authority and data subject
    The GDPR introduces a reporting obligation to the data protection authority in the event of a data breach (similar to the obligation that is applicable in the Netherlands as of 1 January 2016). Such notification must take place within 72 hours after the data controller became aware of the data breach. In some cases the involved data subjects need to be informed about the data breach as well. In next month’s GDPR Update we will discuss this obligation in more detail.

  7. What do these changes mean for your organisation and how can you prepare for them?

- Start identifying the processing activities carried out under your organisation’s responsibility and start keeping records thereof;
- Verify whether any of these data processing activities requires a DPIA;
- Consider whether you need to appoint a Data Protection Officer; and
- Set up internal procedures and protocols and appoint responsible persons for identifying, reviewing and notifying data breaches.

 

Contact


Should you require any assistance in implementing the GDPR within your organisation, please contact us or visit our General Data Protection Regulation webpage for more information.