Module 3 - Controllers and Processors Flashcards
1
Q
Who are the key stakeholders in a data processing relationship?
A
- DATA SUBJECT: Natural person subject to data processing activities.
- DATA CONTROLLER: Natural or legal person responsible for means and purposes of processing activities, who may act alone or jointly with other controllers.
- DATA PROCESSOR: Processes on behalf of the controller.
- DATA PROTECTION AUTHORITY: Supervisory authority with processing oversight in MS.
2
Q
What three data controllership relationships are possible?
A
- Controller-controller.
- Joint controllers.
- Independent controllers.
3
Q
What are the consequences of a processor acting outside the scope of their controller’s mandate?
A
- The processor becomes a controller in their own right, subject to the full compliance under GDPR (article 28).
- A controller may limit their liability for delinquent processors by under rigorous due diligence prior to engagement, including - reviewing the processor’s technical and security measures; checking any accreditations; appraising the processor’s data-handling knowledge; reviewing any retained sub-processors; investigating any breach actions or investigations.
4
Q
What considerations does article 28, GDPR require a processor to agree to under a data processing agreement?
A
- Ensuring persons involved in processing are committed to confidentiality obligations.
- Implementation of appropriate technical and security measures.
- Seeking controller consent to sub-processors, with flow-down of obligations.
- Deletion and return of personal data (upon controller instruction).
- Assisting the controller in supporting subject access right requests.
- Providing controller with information necessary to evidence compliance with GDPR.
- Audits undertaken by the controller or a third party.
- Processing on the controller’s documented instructions only.
- Assistance with data breach responses to supervisory authorities and affected data subjects.
