Hello. Welcome back to this Introduction to GDP are
in this video will be looking at the responsibilities of data controllers and processes on the data subjects writes in more detail.
Controller is any entity that alone or join you with the others, Determine how and white personal data are processed.
The important distinction between controllers and processes is that controllers are the decision makers and thus have the highest level of accountability.
The GDP are includes provisions that promotes accountability and governance of controllers.
Thes complement the GDP. Ours transparency requirements, which are discussed in the last video
or the principles of accountability and transparency have previously been implicit requirements of data protection law. The Judy Piers emphasis elevates their significance.
You will now be expected to put into place comprehensive but proportionate governance measures, including
privacy impact assessments, to assess the risks of processing to data subjects.
Security by design means organizations must implement technical and organizational measures to demonstrate compliance with the regulations.
These are likely to include measures such as
suit on immunization, encryption on data minimization as well as
organizational staff on privacy policies.
I will cover more on this in the next videos on the security of processing and data protection Impact assessments
in the previous video on the lawfulness of processing, I discuss the various legal basis of processing, said that the scope of processing, both in terms of the types and amounts of data being processed and the length of time the date will be held, must be fully disclosed to the data subject and their consent given either directly or through a contract or relationship,
and that processing should not extend beyond what a reasonable person would expect.
It is the controllers responsibility to ensure this remains the case through the full processing life cycle and that the data is deleted except in certain circumstances. Once processing is completed,
there are further requirements to ensure that mechanisms. Aaron placed all our records that were made available on request to data subjects and for them to be able to have errors rectified to ensure the integrity of off their personal data.
Further, if the basis for lawful processing is consent, then the data subject can withdraw consent to processing at any time and have their data deleted or made available to them in an industry standard format to transfer to another controller
This is not a state of portability. And while these standards are not necessarily immediately in place in all industries, it is expected they will develop
as well as the controllers obligations to provide comprehensive, clear and transparent privacy policies. If the organization has 250 or more employees, it must maintain additional internal records of its processing activities.
If the organization has less than 250 employees, it is required to maintain records of activities related to higher risk processing, such as
processing personal data that could result in a risk to the rights and freedoms off individuals
or processing of special categories of data or criminal convictions and offenses.
So what records two controllers need to keep?
I'll cover documentation in greater detail and the next set of videos. But for now it's mainly recording the purposes of processing the categories of data,
details of any transfers to third countries and the safeguards around that retention schedules and a description of technical and organizational security measures.
The GDP are imposes a high duty of care upon controllers in selecting their personal data processing providers, which will require procurement processes to be regularly assessed to ensure they meet the requirements.
Contracts must be implemented with processes which include a range of information each either data to be processed. The process is to be performed on the duration of processing and obligations. E g. No additional processing will be undertaken outside of the terms of the contract
assistance where a security breach occurs. Appropriate technical and organizational measures taken order to assistance on data deletion at the completion of the processing.
Insure compliance of processes.
When contracting work to third parties, you may consider whether they have signed up to and complied with code of conduct or certification mechanisms.
Register with supervisory authority prior to processing.
If you have offices in more than money, you country than your lead supervisory authority will be in the country where your main establishment is.
Notify the supervisory authority in the event of a breach.
We will cover this in more detail in the video on data breaches.
Ultimately, these measures should minimize the risk of breeches and uphold the protection of personal data.
Practically, this is likely to mean more policies and procedures for organizations. Although many organizations will already have good governance measures in place,
what is a process sir,
a process of processes data on behalf of the data controller.
So what are the responsibilities of data processes?
Process data only upon documented instruction from the controller
processing. Outside of these instructions is a data breach.
Employ security and organizational measures to avoid data breaches.
As with controllers, processes must have in place efficient technical and organizational security measures to avoid breaches.
Digital personal data at the end of processing and upon instruction from the controller
maintain a written record of processing activities carried out on behalf of the controllers.
These records are similar to those kept by the controller
designated data protection officer were required.
I'll discuss the data protection Office a role in a later video.
Notify controllers immediately upon a data breach
and the controller will then notify the relevant supervisory authority.
Provide all information to controllers that unnecessary to demonstrate compliance.
Allow audits to be conducted by the controller. This should be defined in the contract between the two parties
For processes the GDP are places specific legal obligations on them and they will have significantly more legal liability if they're responsible for a breach.
Data subject for rice
daily controllers must provide an individual with the following information on request
the identity in contact details of the controller,
the contact details of the data protection officer.
The controller must confirm whether they process an individual's personal data
and the supporting information about the processing, including the purposes of the processing. The categories of data processed
the recipients or categories of recipients.
Details of the disclosure to recipients in third countries or to international organizations. The envisaged retention period or criteria to determine it.
The individual's right to AirAsia To restrict processing and to lodge a complaint with the regulatory authority.
Information regarding the source of the data if not collected from the data subject
and any regulated automatic decision taking, including the logic involved on the significance of personal consequences. For the data subject
the right to, of course, from the controller access to and rectification or erase your personal data.
Organizations may want to consider creating a portal for this purpose
restriction of processing off their personal data.
This will typically apply when the individual contest the accuracy of the data held on where the individual permits the controller to hold enough information to identify them so they can't process data in the future
the length of time that data will be held or, as I mentioned before the criteria for determining how long it will be held,
data portability and a standardized form up
the right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different surfaces.
It allows them to move, copy or transfer personal data easily from one IittIe environment to another in a safe and secure way without hindrance to usability.
The information that control its supply about the processing of personal data must be
concise, transparent, intelligible and easily accessible.
Written in clear and plain language, particularly if addressed to a child and free of charge,
it must be provided without undue delay, typically within 30 days
in some circumstances. If the request unreasonable, repetitive or on judy complex in nature, the controller can either charge a reasonable fee based on the administrative cost of service in the request or refuse the request.
When a comptroller refuses a request, it must provide an explanation informing the individual of their right to complain to the supervisor authority Within 30 days of the request,
the controller should make best endeavour to verify the identity of the requester.
Otherwise, data integrity and confidentiality are at risk.
Finally, if the controller has received data from 1/3 party,
they should notify the data subjects within 30 days.
If the control of wishes the past data onto 1/3 party, the data subjects must be notified in advance.
In the next video, I'll be looking at the security requirements for processing as laid down in the GDP are.
In the meantime, thank you for watching.