Under the European General Data Protection Regulation (GDPR), controllers (company or public authority using personal data for their purposes) are subject to new and/or more specific obligations than under the previous legislation (i.e. directive 95/46/EC).
Data controllers’ obligations under the GDPR are set out below.
Data Controllers’ obligations vis-à-vis individuals using its services:
With regard to individuals using its service, data controller must:
- Obtain a valid consent where necessary and implement the necessary opt-out option (see guidance here)
Data Controllers’ obligations with regard to its internal organisation:
With regard to their internal organisation, data controllers must:
- Appoint a Data Protection Officer where required under the GDPR (see here for more details)
- Draft and implement internal policies and procedures to ensure it can handle any kind of data subject request, a security breach notification etc.
- Ensure the security and confidentiality of the personal data collected (this responsibility is now partially shared with subcontractor/processor)
Data controllers’ obligations with regard to its data processing activities’ compliance:
When it comes to ensuring the compliance of their data processing activities, data controllers must:
- Maintain a record of all its data processing activities (see here)
- Apply the privacy by design and by default principles (see here) which includes implementing policies in order to comply with the data protection principles (see here)
- Conduct data protection impact assessment where required under the GDPR (see here)
Data controllers’ obligations when sharing personal data with third parties:
Data controllers have an obligation to enter into a contract with data processor but it is also strongly recommended entering into a data transfer agreement with any other data controller. Therefore, a data controller should do the following when sharing personal data:
- Update agreements with subcontractors and partners to comply with the GDPR (see here for a template)
- Ensure any personal data transfer outside of the EU is compliant with the GDPR (i.e. are they framed by recognised tools such as BCR, standard contractual clauses etc.?) (see here for guidelines and template)
The needs and the extent or complexity of each obligation are to be adapted to the context (i.e. the kind of data processing in place, the amount and sensitivity of the personal data processed, how much information is shared etc.)
If you have any question, do not hesitate to contact Arnaud Blanc, French & UK qualified lawyer based in France.