The EU General Data Protection Regulation (Regulation 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46 / EC or the General Data Protection Regulation (GDR)) has entered into force On May 25, 2018 and from now on it is binding on all natural and legal persons who process personal data.
What is personal data?
The Regulation stipulates that any information relating to an identified or identifiable natural person (data subject) is personal data. Any information by which a person can be identified is considered personal data.
For example, in a company, this is employee data obtained when starting an employment relationship and concluding an employment contract with an employee (name, surname, position, personal identification number, e-mail and residence address, telephone, etc.) or customer data that you use to issue an invoice to the customer (name, surname, address, telephone, etc.).
What is a data subject?
Any natural person whose data is processed (used).
Does the personal data relate to the data of a legal person?
No, the requirements of the Regulation apply only to the data of a natural person (this does not apply to a legal person, its name, e-mail, etc.).
What is the processing of personal data?
Any action taken on personal data. For example, collecting, registering, organizing, structuring, storing, adapting, or modifying, retrieving, viewing, using, disclosing, transmitting, distributing or otherwise making available, harmonizing or combining, restricting, including deleting or destroying data.
Who is the Controller?
The Controller is any natural or legal person (SIA, AS, state or municipal institution, etc.) who determines the purposes of personal data processing (determines the purpose for whom and why this data is processed) and the means of processing, ie the way in which the data are processed (data is collected to register their customers, to enter into employment contracts with employees or service contracts with their customers, etc.). The controller bears full responsibility for the processing of personal data, even if all data is processed on behalf of the controller by the processor.
Who is a Processor?
A processor is a person chosen and authorized by the controller (or contracted) to process personal data in the name or on behalf of the controller.
What is the difference between a Controller and a Processor?
The main differences are:
The Controller is one who obtains data from a natural person (his / her employee, customer, visitor, etc.);
The Controller is the one who decides for what purpose the data is obtained (to enter into a contract, to provide his service, etc.);
The Processor acts on behalf of the Controller by processing the personal data obtained by the Controller
Why is it mandatory for the Controller to enter into a data processing agreement with the Processor?
All responsibility for the processing of personal data lies with the controller (even if all data is processed and stored by the processor). If the supervisory authority (the State Data Inspectorate) imposes a penalty, it will be imposed on the controller. It is therefore important to conclude a properly legal agreement on the processing of personal data, which clearly sets out the rights and obligations of both parties, the limits of liability and the consequences in the event of a breach of the processing. The contract is necessary not only in the interests of the controller, but also in the interests of the processor, so that the processor cannot be sued for unfounded claims for damages.