Who is responsible?

Understanding GDPR

Shalini Kurapati, CIPP/E

Co-founder, Clearbox AI

Key GDPR roles

  • Data controller
  • Data processor
  • Data Protection Officer or DPO
  • Supervisory Authority (SA)/ Data Protection Authority(DPA)
Understanding GDPR

Data controller

  • Decides data processing purposes and means
  • Joint decisions means joint controllers
  • Ultimately accountable

Example: boutique pastry shop outsources payroll management

  • Data controller: Boutique shop
  • Data processor: Payroll company
Understanding GDPR

Data processor

Illustration of a laptop screen with data analysis charts and two hands typing on the keyboard. The image is supposed to represent a data processor.

  • Usually, a third party/sub-contractor who processes personal data on behalf of the controller
  • No direct responsibility
  • Terms agreed by Data Processing Agreement
  • Align with controller obligations for compliance
Understanding GDPR

Data protection officer or DPO

Illustration of a DPO represented by a woman pointing at a lock symbol representing data protection.

  • Monitors, advises, helps comply
  • Cooperation with SA and contact point
  • Both controllers and processors
  • Mandatory for:
    • Public bodies
    • High risk processing
  • Risk matters, not company size
1 Guidelines on Data Protection Officers ('DPOs') (wp243rev.01)
Understanding GDPR

Supervising authority or data protection authority

Several EU flags in front of a building in Brussels.

  • Independent public authority
  • Fines for non-compliance
  • All members have a SA/DPA
    • Garante per la Protezione dei Dati Personali (ITA)
    • Autoriteit Persoonsgegevens (NL)
1 https://edpb.europa.eu/about-edpb/about-edpb/members_en
Understanding GDPR

Data breaches: what to do?

What is a data breach?

  • Loss, unlawful access or disclosure
  • Confidentiality, integrity, availability

What to do?

  • Notify SA/DPA without delay
  • Within 72 hour window
  • If high risk inform data subjects, follow-up actions

Example: Online marketplace hacking

  • DPO: important role
  • Record of data breaches
  • Data breach policy
1 Guidelines on personal data breach notification under regulation 2016/679, WP250 rev.01
Understanding GDPR

Coordination across countries

Logo of the European Data Protection Board.

List of EDPB members with their respective flags

  • Consistent application of rules
  • Cooperation across members
  • EU27 Supervisory Authorities
  • EDPS, European Data Protection Supervisor
  • Iceland, Norway, and Liechtenstein have no voting rights
1 https://edpb.europa.eu/about-edpb/about-edpb/members_en
Understanding GDPR

Let's practice!

Understanding GDPR

Preparing Video For Download...