Frédéric Tronnier (GUF)
This section aims to explain the main actors, that is, the roles that may be assigned to individuals, organizations or other entities in the GDPR. Art. 4(7-10) define several of these actors while others are defined later on in the GDPR[1]. Here, these actors will be defined in order to clarify the different tasks, rights and responsibilities that each actor possesses. In order to work with personal data and to comply with the GDPR it is necessary to understand the role that one takes when working with personal data. A brief summary on the main actors is made in table 1. Within the main body of this document, practical examples are provided in order to illustrate the interplay between the different categories of actors.
DOs
|
References
1For more detailed information on the main actors: controller, processor and joint controllers, we refer to the EDPS guidelines on these actors.EDPS Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725. Available under: https://edps.europa.eu/sites/edp/files/publication/19-11-07_edps_guidelines_on_controller_processor_and_jc_reg_2018_1725_en.pdf (Last visited: 03.12.2020)And Guidelines 07/2020 on the concepts of controller and processor in the GDPR. Available under: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf (Last visited: 03.12.2020) ↑
Actor | Controller | Processor | Joint Controller | Recipient | Third Party | Data Protection Officer | Supervisory Authority |
GDPR | Art.4(7) | Art.4(8) | Art.26 | Art.4(9) | Art.4(10) | Art.37 | Art.51 |
Short description | Any entity that determines the purposes and means of the processing of personal data. | Handles the processing of personal data on behalf of the controller. Does not determine the purposes of this processing. | Two or more controllers that are jointly determining the purposes and means of processing of personal data. | Any entity to which personal data is disclosed to, with the exception of public authorities that receive personal data in accordance with the law. | Any other entity other than controller, processor, data subject or persons authorized to process personal data. | Natural person that acts independently within an organization to ensure the correct application of the GDPR | Independent public authority established by the EU member states. Also called Data Protection Authorities (DPAs). |
Tasks | Is in control of the data and decides what is done with it. Usually wants to achieve a goal with the data. | Processes the data under the instructions of the controller. | The tasks are the same as those of a (single) controller but are performed by all joint controllers together. | Has no active part. A recipient is defined only by its access to personal data. | Has no active part. | Ensures that the rights of data subjects are protected Handles and addresses complaints. | Responsible for monitoring and enforcing the correct application of the GDPR. Promotes awareness on issues of data processing. Handles complaints of data subjects. |
Rights / Responsibilities | Needs to ensure compliance with the GDPR in the processing of the data and be able to demonstrate that processing of personal data is performed in accordance with the GDPR. Needs to implement appropriate technical and organizational measures for this. | Acts under the instruction of the controller with a certain degree of freedom of choosing the most suitable methods for the processing. Guarantees that the processing meets the requirements of the GDPR. | Joint controllers need to determine their respective responsibilities for compliance with the data processing Need to provide a contact point for data subjects. | No rights and responsibilities. Will become a controller for any processing that is carried out for its own purposes. | Receives personal data. Will become a controller for any processing that is carried out for its own purposes. | Acts independently with an own budget and resources Should not be in a conflict of interest, therefore not a processor or controller. | Enforce application of the GDPR. Can issue warnings and reprimands, or ban or limit the processing of personal data by other entities. |
Table 1. Short summary on the main actors in the GD