Previous article in series – Data Privacy: Maturity Model
By far the most comprehensive data protection framework that currently affects 28 nations directly and all interconnected (business trade) nations secondarily is the injunctions of the GDPR. These materials draw upon the definitions used by the European Commission to distinguish the roles related to data privacy and protection.
The terms data controller and processor are used extensively to describe the key relationship between legal liabilities related to the consumer and the contractual responsibilities of the provider. It is from the Article 29 Data Protection Working Party, Opinion 1/2010 on the concepts of “controller” and “processor” that the GDPR retrieves the definitions for controller and processor.
“Finally, it should be no surprise that the controller is also held liable, in principle, for any damage resulting from unlawful processing. […] Summarizing the above reflections it can be concluded that the one liable for a data protection breach is always the controller, i.e.[,] the legal person (company or public body) or the natural person as formally identified according to the criteria of the Directive.”
Commenting further on the relationship between controller and processor, the European Commission official website states:
“The data controller determines the purposes for which and the means by which personal data is processed. So, if your company/organization decides ‘why’ and ‘how’ the personal data should be processed it is the data controller. Employees processing personal data within your organization do so to fulfil your tasks as data controller.
Your company/organization is a joint controller when together with one or more organizations it jointly determines ‘why’ and ‘how’ personal data should be processed. Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with the GDPR rules. The main aspects of the arrangement must be communicated to the individuals whose data is being processed.
The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to the company. However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking. The duties of the processor towards the controller must be specified in a contract or another legal act. For example, the contract must indicate what happens to the personal data once the contract is terminated. A typical activity of processors is offering IT solutions, including cloud storage. The data processor may only sub-contract a part of its task to another processor or appoint a joint processor when it has received prior written authorization from the data controller.”
A summation of all the roles related to ensuring data privacy are:
- Data subject: One who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity (e.g., telephone number, IP address).
- Data steward: Responsible for data content, context, and associated business rules.
- Data custodian: Responsible for the safe custody, transport, and storage of the data and implementation of business rules.
- Data owner: Holds legal rights and complete control over data elements.
- Personal data: Any information relating to an identified or identifiable natural person, such as sensitive/health data, biometric data, and telephone traffic data.
- Processing: Operations that are performed upon personal data whether or not by automatic means, such as collection; recording; organization; storage; adaptation or alteration; retrieval; consultation; use; disclosure by transmission, dissemination, or otherwise making available; alignment or combination; blocking; erasure; or destruction. Processing is made for specific purposes and scopes, for example, marketing, selling products, justice, the management of employer–employee work relationships, public administration, and health services.
- Data controller: The natural or legal person, public authority, agency, or any other body that alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of processing are determined by national or community laws or regulations, the controller or the specific criteria for the nomination of the controller may be designated by national or community law.
- Data processor: A natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the controller. There are situations where an entity can be a data controller, or a data processor, or both.
Next article in series – Data Privacy: Regulatory Transparency Requirements
An e-commerce store is collecting personal data from customers purchasing items, including details such as full name, address, items purchased, quantities, etc. The e-commerce store is managed and hosted by a managed cloud service provider. Additionally, all data is copied offsite to a backup service provider in case of a disaster recovery. Which entity is the data controller in this scenario?
The Data Controller I believe would be the e-commerce store as they would be the one to “determines the purposes” of the data.