DPDPB and GDPR: Obligations of Controllers and Processors.

Introduction:

For the protection of personal data to be successful, accountability and enforcement are essential. The parties responsible for adhering to the law should be identified, as well as their responsibilities and duties to guarantee compliance and defend individual rights, and what actions they must take if they fail to do so.

Both data controllers and processors should have their roles, obligations, and responsibility specified in the legislation. The connection between controllers and processors should also be covered by the legislation, along with specific expectations for each party. Records-keeping, security, and reporting of data breaches rules should also apply to controllers and processors.

Both data controllers and data processors are subject to the General Data Protection Regulation’s requirements. One such requirement is that Controllers and Processors enter into a contract that is legally binding and that governs the processing of personal data whenever a Processor is hired to handle personal data at the direction of a Controller (a “Data Processing Contract”).

The definition of a “processor” under the GDPR has not changed. The GDPR, on the other hand, allocates obligations on both controllers and processors regarding compliance, whereas the Directive typically only applied to controllers. If either or both of these parties fail to comply with the new EU data protection law, they will be directly prosecuted and subject to severe fines. For organizations that serve as processors, the direct legal requirements established by the GDPR are important. Nevertheless, they are equally crucial to organizations that operate as controllers and hire processors to handle personal data on their behalf. This blog talks about the obligations of data processors and controllers laid down in both the GDPR and DPDP bill.

Definition:

A data controller is described in Article 4(7) of the GDPR as:

“Controller” refers to a natural or legal person, public authority, agency, or other body that, alone or in collaboration with others, determines the purposes and means of the processing of personal data; in cases where those purposes and means are established by Union or Member State law, the controller or the specific requirements for its nomination may be stipulated by such law.

A data processor is defined by Article 4(8) of GDPR as:

A natural or legal person, governmental authority, agency, or other entity that processes personal data on behalf of the controller is referred to as a “processor”.

A Data processor is defined by Clause 2(7) of the Digital Personal Data Protection Bill as: 

“Any individual who handles personal data on behalf of a data fiduciary is referred to as a Data Processor.”

 

What should organizations do to comply:

Organizations that operate as processors or controllers who engage processors should thoroughly assess the criteria for selecting processors. They should examine their current data processing agreements in particular and determine whether any modifications are necessary. The GDPR’s rules should be followed when creating any new data processing agreements.

Each organization that serves as a processor should also:

1. Mention the data processing tasks for which it serves as a processor;
2. Ensuring that it is aware of its obligations under the GDPR as a processor; and
3. Ensure that it has suitable procedures and models in place for locating, analyzing, and to the extent necessary promptly notifying the relevant controller of data breaches.

Obligations of Processors and Controllers Under GDPR:

The extra compliance duties that emerge from the GDPR are anticipated to result in considerable cost increases for processors, which will most likely be passed along to clients. Additionally, as processors become more meticulous about the terms of the agreement and the purview of the controller’s orders, the negotiation of processing agreements is expected to grow more difficult. Organizations that function as processors or controllers who engage processors should carefully consider the regulations related to hiring processors. They should assess any necessary adjustments to their current data processing agreements in particular. New data processing agreements should be aligned with GDPR Regulations.

It is the responsibility of data controllers and processors to take all necessary steps to guarantee legal compliance. To prove that processing is done following the law, it is not sufficient for them to merely comply with the legislation; instead, they must distinctly indicate how they are compliant. Data controllers and processors should put in place the proper organizational and technological safeguards to guarantee that processing is done legally and to be able to prove it.

Confidentiality and Integrity:

The obligation and responsibility to protect the infrastructure’s and data’s security must be done by both the data controller and data processor. Additionally, they should be required by their duties to notify and look into breaches, as well as to alert the appropriate supervisory authority and impacted data subjects.

The responsibility of protection should be extended to encompass the infrastructure and the devices used at every stage of processing, including production, collecting, retention, and sharing. The legislation should include security precautions not simply to preserve the data itself.

Data Controller:

The main person in charge of ensuring that customer rights and privacy are upheld, managing access, and gaining cookie consent is the data controller. They have more autonomy in decision-making, but they also assume responsibility for errors. 

According to Article 5 of the GDPR, data controllers are accountable for the accuracy, legitimacy, and fairness of information. They must also safeguard the privacy, veracity, and storage restrictions of personal data. To avoid penalties and GDPR fines, data controllers should only choose data processors that adhere to the GDPR.

Data Processor:

To be a data processor, one must meet two fundamental requirements: one must be a different legal entity from a data controller and must handle personal data on the controller’s behalf.

Data is not within the control or ownership of data processors. Therefore, they are unable to alter their objective or the method of processing. Data processors typically offer IT solutions, such as cloud storage. If the data controller has previously given written consent, data processors may also delegate some of their tasks to other processors or name a joint processor.

Obligations of processors under the DPDP Bill:

The much-anticipated Digital Personal Data Protection (DPDP) Bill, 2022, was announced by the Ministry of Electronics and Information Technology on November 18, 2022.

The DPDP Bill relates to personal data that is acquired in India I online, (ii) offline but later converted to digital form, (iv) outside India, and (v) outside India but processed in conjunction with activities such as supplying services or products to data principals in India.

The DPDP Bill stipulates that data processors must protect personal data in their custody or control by adopting reasonable security precautions to avoid a personal data breach, even if the obligation always rests with the data fiduciary, about the data principal.

Only a data processor may be employed by the data fiduciary to process personal data on that entity’s behalf. This should only be carried out with the data principal’s consent and following a binding legal agreement between the data processor and the data fiduciary.

Such a data processor may only, to the extent authorized by its agreement with the data fiduciary, engage, employ, utilize, or engage another data processor to process personal data under a valid contract.

Under the Digital Personal Data Protection Bill, data processors that handle personal data on behalf of other organizations are subject to the following independent statutory obligations (Clause 9): 

1. Take appropriate security precautions to avoid a breach of the personal data it has in its possession or under its control.
2. Notify the Board and each impacted data principal in the case of a personal data breach;
3. If allowed by the contract with the data fiduciary, subcontract processing operations.

Contractual agreements including inter-se responsibility for commitments between the data fiduciary and the data processor are not prohibited by the Bill.

Conclusion:

Knowing which function you perform is crucial since a data controller and a data processor have different jobs and duties. The separation might not be as obvious for certain businesses and their service provider. For this reason, the GDPR and DPDPA have established the various tasks and obligations required of a data controller or a data processor. As businesses work to stay in compliance with GDPR, the roles and duties of data controllers and processors will be more crucial than ever. Compliance depends on your ability to recognize the distinctions between the two and how they affect your obligations depending on the function that your firm plays in any given circumstance.

The Privacy updates are straightforward once you understand them. Once they become ingrained in your behavior, they will aid in defending you from frequent scam tactics. Get in touch with us at info@tsaaro.com.Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today.