Only few regulations can compete with General Data Protection Regulation (GDPR) in such a negative notoriety and also in an extent of the liable persons. Furthermore the general belief is that the requirements of GDPR are bureaucratic, illogical and meaningless but however have to be followed at least at the declaratory level.

Experts who dealt with a data protection even before the era of GDPR know that the legal rights and obligations of individuals, data processors and controllers are not regulated any differently with GDPR than they were before. A broader view on the area shows that the legislative provisions get the right meaning and data operators can see their obligations by the GDPR even as their competitive advantages. This can be a good chance to build a more solid and permanent business relation with a client that is also trustworthy. In the digital era we live in nowadays, we are oftenly forced to do things faster, more often and cheaper … but do we also do them legitimately?

The liability to legally process personal data has always been controller’s. GDPR just explicitly emphasized that but also imposed some new obligations. These are depended on the extent of the data processing, the type of personal data and the purposes of processing.

According to GDPR the controller is obliged to:

  • Inform the data subject of the information about the processing of the personal data. Such as privacy policies, information to the data subject,
  • a record-keeping of the processing,
  • accept an internal rule about the personal data protection,
  • provide the right personal data protection in the workplace,
  • answer individual’s claims (adopt a decision about legal rights).

According to specific situations, the nature, extent and purposes of personal data processing the controller is also obliged to: answer individual’s claims (adopt a decision about legal rights).

  • carry out LIA – a legal interest assessment when the legal ground for processing is a legal interest and CONSENT STATEMENTS when the legal ground for processing is a consent,
  • carry out DPIA – a data protection impact assessment when he assesses that the intended processing may be a great risk for individual’s legal rights and fundamental freedoms,
  • report about a personal data breach (also to a data subject),
  • designate a data protection officer.

Although the role of the personal data processors is not new, some obligations were added by GDPR.

The processors are obliged to:

  • a record-keeping of the processing,
  • accept an internal rule about the personal data protection,
  • help the controller answer individual’s claims,
  • help the controller carry out DPIA,
  • help the controller to detect and report about a personal data breach,
  • appoint a data protection officer,
  • get a controller’s consent to engage a subordinate processor and conclude a contract with him.

Informed and empowered individuals who know and enforce their legal rights are the major guarantors of a compliance with data protection regulations.

GDPR gives an individual the right to:

  • be informed and to access personal data,
  • a rectification and an erasure in terms of the »right to be forgotten«,
  • a restriction of processing,
  • a data portability,
  • object to processing personal data and automated individual decision-making, including profiling based on those provisions.

Every individual’s request is an opportunity for the controller to check the compliance of his acts with legislation. And also a chance to provide his services in this area.

mag. Rosana Lemut Strle