Part 3: Core terminology and Pagero’s position in the GDPR universe
In order to understand the implications and applications of the upcoming GDPR regulation, it is important to understand the terminology used and how it relates to the business you are in. In our previous article, we took a closer look at the term “personal data”. In this article, we will go through some other important terms and then put them into the context of what we do and how this impacts the way we work.
- A data subject is a natural person whose personal data is processed by a data controller or data processor.
- The data controller is the entity that determines the purposes, conditions and means of processing personal data, and is typically the person or company entering into contact with the service provider.
- The data processor is the entity that processes data on behalf of the data controller.
- The data controller must establish processing grounds for personal data. This refers to the legal basis for processing the personal data.
- A data processing agreement must be put in place between the data controller and the data processor.
- A data protection authority (DPA) is a national authority tasked with the protection of data and privacy, as well as the monitoring and enforcement of data protection regulations within the EU.
- A data privacy officer (DPO) is an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR. The regulation does not state explicitly that each company must have a data privacy officer. It does say that if a company processes a significant quantity of personal details, it might consider appointing a DPO.
- And finally, transfer of personal data to a third country, where “third county” means any country outside of the EU; the transfer of data between EU Member States is not regarded as a transfer to a third country.
Pagero’s responsibilities as a data processor
As a data processor we have responsibilities to fulfil. Below is a summary of the points that we find the most important:
- We must guarantee the data security of data subjects.
- We must maintain a record of our processing activities.
- If sub-processors are involved, the data controller must be informed thereof.
- We should only process personal data according to the data controllers’ instructions. We should not use the data for any purposes other than as established in our agreement with the data controller.
- We must support our data controllers if there is a data breach.
- Finally, we must report incidents to the data controller without undue delay.
Now you have a toolbox of terms and responsibilities for this GDPR universe. Each company wanting to fulfil the new requirements must perform its own mapping as part of attaining compliance.
In our next article, we will look further into the subject of data processing and what it actually means. We will also discuss an important terminology change in the new GDPR regulation, why you need to keep activities processing records and, finally, what is meant by “legal grounds for data processing” and why it is vital in this context.
This article was written by Nazar Paradivskyy, Head of Compliance at Pagero Group, together with Fredrik Hjorth, a consultant from Transcendent Group. He is currently helping Pagero to implement the changes required by the GDPR. Fredrik has long experience of legislation in the privacy field and has solid experience from banking and finance.