What is a GDPR controller?

Coming into force in 2018, the GDPR has completely transformed personal data law.
What are my obligations and responsibilities as a GDPR data controller?

What is a data controller?

According to the CNIL (National Commission for Information Technology and Civil Liberties), the data controller is considered to be a legal entity (organization or municipality) or natural person who is responsible for determining the various purposes and means of a processing operation. In other words, the data controller defines the purpose and the process to be followed in order to carry out the various processing operations.

The data controller is therefore a legal entity represented by its legal representative. It may be a company, a local authority or an association that is supposed to carry out the processing.

There are many people who can take on the role of data controller.

In this regard, the GDPR has provided for the case of Accountability. It is therefore mandatory to specify the obligations as well as the responsibilities of each party.

What are the obligations of a GDPR data controller?

The GDPR has laid down certain obligations that concern the controller, so that all processing is GDPR compliant:

Obligation of lawfulness :

Given that the data controller is the one who determines the purposes and means of a processing operation, he or she is under an obligation to process all personal data taking into account what the GDPR texts stipulate and to do so in a fair, lawful and transparent manner. If processing is based on a person's consent, by way of example, the data controller must be able to prove that consent.

Information obligation  

When processing personal data, the data controller is obliged to inform all data subjects. In other words, he or she must provide them with all information relating to the processing of their personal data, such as the categories of data collected, their uses, the purposes of the processing, etc.

Safety obligation

The data controller must implement measures to guarantee the security of the personal data being processed. What's more, in the unfortunate event of a breach of data protection principles, the data controller will be obliged to inform not only the CNIL (National Commission for Information Technology and Civil Liberties)), but also all data subjects.

Obligation to take account of people's rights 

Thanks to the GDPR, everyone has various rights over their personal data. For this reason, the data controller must make it easier for all data subjects to exercise their rights, while taking into consideration any related requests.

Accountability of a GDPR data controller

Ensuring GDPR compliance is the main Accountability of a data controller. All the necessary measures that will ensure this GDPR compliance must be taken into consideration for each processing operation carried out. In addition, the data controller must be able to demonstrate and prove the compliance of its processing operations if necessary.

Depending on the type of processing envisaged, the data controller must be in a position to assess the potential risks that could have an impact on the business and, if necessary, to take the necessary measures. Additional measures may also be required, as in the case of processing sensitive data.

This will involve specific data hosting or an impact study. You can read our article on this subject in detail.  

Use of processors

The data controller must ensure that the processors with whom he will be working are GDPR. Otherwise, his Accountability will be engaged. In this regard, the CNIL (National Commission for Information Technology and Civil Liberties) requires companies to work only with GDPR organizations.

In the event of a data breach, organizations that are GDPR will have less risk than those that are not. You can read our article on GDPR compliance which covers the subject in detail.

Furthermore, in the event of a breach of the obligations laid down by the GDPR, the data controller could face heavy penalties. The GDPR has provided for penalties of up to €20 million or 4% of worldwide sales. For more information, you can read our article on. GDPR sanctions.