The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. The new regulations place new and greater responsibilities on data processors to comply with data protection requirements.
Article 5 of GDPR outlines the six core principles introduced under the new regulations which govern the processing of personal data. These require that personal data must be:
Article 5 requires that data controllers must comply with the six principles and demonstrate compliance with the principles.
GDPR defines a data controller as:
“a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing.”
(e.g. a business obtaining customer or employee details, or a school, college or university holding student records.)
The role of a data controller is to determine who shall be responsible for compliance with data protection rules and how data subjects can exercise their rights. Putting it simply, they are the manager of personal data, they instruct the processor. The data controller will decide the purpose for which personal data is required and what personal data is necessary to fulfil that purpose.
A data controller will act on their own autonomy. A party constrained in how they can handle personal data is less likely to be a data controller but could be a data processor.
The two simple questions to consider when identifying the data controller are:
GDPR defines a data processor as:
“a natural or legal person that processes personal data on behalf of the data controller.”
A data processor would be a separate business entity (whether a company, partnership or a sole trader) serving the interests and carrying out the instructions of the data controller in its processing of the personal data.
The role of a data processor could include storing data, retrieving data, running the payroll for a business, carrying out marketing activities, or providing security for data.
In this scenario, Marketing123 is a data processor and Toys4you is the data controller.
In order for a business to process personal data under GDPR, it must have a valid lawful basis. GDPR identifies six lawful bases for processing personal data, these are:
The lawful basis must be determined before data is processed. It is important that this is right first time. Businesses are unable to simply swap to a different legal basis at a later date.
If the business decides to change the purpose for processing the personal data collected, the lawful basis relied upon will require review. Depending on the extent of the change (whether it is compatible with your initial purpose) businesses may be able to rely on the same lawful basis. This is unless the lawful basis is consent, in which case this will need to be refreshed.
You can check online for further advice or contact a member of our Corporate Commercial team to review your existing policies and business terms and conditions.
For legal advice on corporate commercialGet in touch
Below is a list of frequently asked questions about corporate law during the Covid-19 outbreak.
Below is a list of frequently asked questions about commercial contracts during the Covid-19 outbreak.