< Back

Share |

Data controller requirements under GDPR

May 2017

A high level summary of GDPR requirements on data controllers.

Article Summary Recitals
4(7) Definition of "controller".  

Principles

Article Summary Recitals
5(2) Controller is accountable for compliance with data protection principles (as listed in Art.5(1)) i.e.:
  • Lawfulness, fairness and transparency;
  • Purpose limitation;
  • Data minimisation;
  • Accuracy;
  • Storage limitation; and
  • Integrity and confidentiality.
85
6 and 9 Controller to carry out lawful processing by virtue of at least one of the conditions laid out in Art.6 (and for special categories of personal data, Art.9). 40-41
44-50
51-56
7(1),(2),(3) Controller to demonstrate data subject's consent to processing their personal data. Requests for consent to be presented in a manner clearly distinguishable from other matters and in an intelligible and easily accessible form. Consent may be withdrawn by data subjects at any time. 32-33
42-43
8(2) Controller to make reasonable efforts to verify parental consent (concerning children under 16 years old, although may be as young as 13). 38

Rights of data subjects

Article Summary Recitals
12 Controller to ensure information/communications related to the articles below are concise, transparent, intelligible and in an easily accessible form (especially when specifically addressing a child), given without undue delay/within 1 month of receipt of request: 58-59
  Art.13: Information which controller must provide when personal data collected from data subjects (e.g. controller's identity and contact details); 60-62
  Art.14: Information which controller must provide where personal data has not been obtained from the data subject; 60-62
  Art.15: Controller to provide a copy of the personal data undergoing processing on request by the data subject (containing the information listed in Art.15(1)(a)-(h)); 63-64
  Art.16: Controller to rectify inaccurate personal data without undue delay upon request from data subject; 65
  Art.17: Controller to erase personal data without undue delay either when data subject requests so, or where obligatory under Art.17(1)(a)-(f) (e.g. the data subject withdraws consent) and inform other controllers involved in processing of the request, subject to exceptions under Art.17(3); 65-66
  Art.18: Controller to restrict processing where any of Art.18(1)(a)-(d) applies (e.g. unlawful processing); 67
  Art.19: Controller to communicate any rectification or erasure of personal data and any restriction of processing to each recipient to whom personal data has been disclosed; 68
  Art.20: Controller to provide data subject with their personal data in a structured, commonly used, machine-readable format where processing is carried out by automated means, upon request; 69-70
  Art.21: Where a data subject objects to the processing of their personal data (especially direct marketing), the controller shall no longer process that data unless they can demonstrate compelling legitimate grounds for processing. Controllers must communicate these rights to data subjects at the time of first communication with the data subject at the latest;  
  Art.22: Controller to implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests where automated individual decision making is necessary for the performance of a contract between controller and data subject and/or is based on the data subject's explicit consent; and 71-72
  Art.34: (see below)  

Controller and Processor

Article Summary Recitals
24(1) Controller to implement appropriate technical and organisational measures and demonstrate compliance (see also Art.32). 74-77
24(2) Controllers to implement data protection policies, as appropriate.  
25 Controller to ensure that both in the planning and implementation of processing activities, data protection principles and appropriate safeguards are addressed and implemented (data protection by design and default). 78
26(1),(2) Joint controllers to apportion respective responsibilities for compliance between themselves and make their arrangements known to data subject(s). 79
27(1),(2),(3) Controllers not established in the EU to designate in writing a representative established in one of the Member States where data subjects being monitored are based, unless processing is occasional or controller is a public authority or body. 80
28(1) Controller to ensure their processors provide sufficient guarantees to implement appropriate technical and organisational measures. 81
28(3),(8) Controller to enter into written contract with processor to include points in (a) – (h). (e.g. processor only to act on documented instructions from controller when processing personal data, controller to determine if processor deletes or returns data at end of the services, etc.). 81
30(1),(3),(4) Controller (and representatives) to maintain written records of processing activities, which must contain the information specified in 1(a)-(g) (e.g. purpose of processing, time limits for erasure of data, etc.), and must be made available to the supervisory authorities on request, subject to Art.30(5) (below). 82
30(5) Art.30(1) does not apply if fewer than 250 persons employed (unless risk to rights and freedoms of data subjects, or special categories of data (Art.9(1)) processed).  
31 Controller (and representatives) to cooperate with supervisory authorities.  
32(1) Controller to implement appropriate technical and organisational measures to ensure appropriate security of processing, including: pseudonymisation/encryption, maintaining confidentiality, restoration of access following physical/technical incidents and regular testing of measures. 83
32(4) Controller to ensure any natural person acting under their authority does not process data except on the controller's instructions.  
33(1),(3),(5) Controller to inform supervisory bodies without undue delay/within 72hrs of becoming aware of any personal data breach. Notification to contain information specified in Art.33(3)(a)-(d). Controller to document any breaches, including its effects and remedial action taken. 85-88
34(1) Controller to communicate personal data breach to data subject(s) without undue delay where breach likely to result in a high risk to the rights/freedoms of natural persons, unless conditions of Art.34(3) are met (see also Art.12). 86-88
35(1),(2) Prior to carrying out potentially high risk processing, controller to carry out a DPIA, and seek the advice of its DPO while doing so. 88-93
36(1) Controller to consult supervisory authorities prior to processing data that a DPIA has indicated is high risk in the absence of measures taken by the controller to mitigate the risk, and provide the authority with the information specified in Art.36(3). 94-96
37(1),(7) Controller to designate a DPO where obligatory under Art.37(1), publish the DPO's contact details and communicate them to the supervisory body. 97
38 Controller to ensure DPO is involved in all issues relating to the protection of personal data, supports and provides the necessary resources for the performance of DPO tasks and ensures DPO tasks and duties do not cause a conflict of interest. 97

International Transfers

Article Summary Recitals
44 Controller to comply with conditions laid down in Chapter V of GDPR to ensure personal data is adequately protected when transferred to a third country, including: 101-102
  Art.45: transfers on the basis of an adequacy decision; 103-107
  Art.46: transfers subject to appropriate safeguards where no adequacy decision (e.g. BCRs, model clauses, approved code of conduct, certification mechanisms); 108-109
  Art.47: where a group of undertakings, use approved binding corporate rules for international transfers as approved by the supervisory authority; 110
  Art.49: Where no adequacy decision/safeguard/BCRs, ensure third country data transfers only take place where conditions of Art.49(1)(a)-(g) are fulfilled (e.g. express consent). 111-115

Remedies, liabilities and penalties

Article Summary Recitals
82(2),(3),(4) Any controller involved in processing shall be liable for the damage caused by non-compliant processing but exempt if it proves it is not in any way responsible for the event giving rise to the damage. Joint controllers are each entirely liable for any damage, to ensure effective compensation, subject to any apportionment between the parties. 146-147

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.