Personal Data Controller according to the GDPR
The company that according to the GDPR is the Personal Data Controller, must process personal data belonging to EU citizens correctly. The party who determines the purpose and means for the processing of personal data, is the Personal Data Controller according to the GDPR.
Personal Data Controller
The Personal Data Controller is normally the organization (for example a limited company, foundation, association or authority). This party decides for what purposes the data is to be processed and how the processing is to take place. It is therefore not the manager of a workplace, an employee or any other physical person who is the Personal Data Controller. But even a natural person can be the Personal Data Controller according to the GDPR. This is the case for individual companies, for instance.
If two or more parties jointly decide on a particular treatment, they are jointly responsible for the tasks. Therefore, they must decide among themselves who is responsible for fulfilling the various obligations set out in the GDPR. Who is the Personal Data Controller can also be specified in law or regulation. For example in special register laws.
Responsible for the processing
The Personal Data Controller shall ensure that the processing takes place in accordance with the provisions of the GDPR. For instance, a hired personal data processor may only process data in accordance with instructions provided by the Personal Data Controller.
The Personal Data Controller has a general responsibility to, based on the privacy risks associated with the processing, implement appropriate technical and organizational measures. Because, the Controller must ensure and be able to demonstrate that the processing is performed in accordance with the GDPR. This can be done, among other things, by creating a Privacy Policy with appropriate strategies for data protection. And also by ensuring that it is implemented within the organization.
The Personal Data Controller has an obligation to report compliance with the provisions of the GDPR to the Supervisory Authority. Codes of conduct and certifications can be a way to show that the company complies with the provisions of the GDPR. It can also be done by establishing internal routines for the staff. Specially regarding the handling of personal data, as well as the establishment of various logbooks to note erasures of personal data and breaches, etc. These are examples of agreements and documentation that the Supervisory Authority may request in the event of an inspection.
News about GDPR and reviews from supervisory authorities
In addition to this information, you can also read our GDPR summary. And also about various news about the GDPR on this website. For example, audits carried out by Supervisory Authorities and sanction fees that they distribute. By learning from mistakes from others, it is possible to avoid making similar mistakes yourself. In addition, you can find information that is important and good to know as an entrepreneur as well as guides.
Summary of the GDPR for Companies, Entrepreneurs and Businesses
There is a lot of information about the GDPR that is important for companies, entrepreneurs and businesses to know about. We have therefore written a GDPR Summary and mention various key elements. Therefore, we are able to provide an overview of the GDPR, what it means and what companies must do to comply with the EU regulation.