This fifth set of guidelines provides more information about the definition in the EU General Data Protection Regulation of data controllers and data processors.
The Danish Data Protection Agency and the Danish Ministry of Justice recently issued their fifth set of guidelines about the GDPR. The guidelines concern the difference between data controllers and data processors. The distinction is important because different requirements are imposed on data controllers and data processors.
In very broad outline, data controllers are responsible for ensuring compliance with the GDPR, whereas data processors, on the other hand, must comply with the instructions issued by the data controller and with the processor agreement that has been concluded.
The guidelines present a number of principles that may be applied in the determination of whether a company is a data controller or a data processor. They also provide a number of illustrative examples to serve as inspiration. Furthermore, the guidelines describe what issues to be aware of once the roles of data controller and data processor has been determined.
The guidelines are available here (in Danish).
The content of the above is not, and should not be a substitute for legal advice.
Must the Data Protection Agency be notified in case of an “internal” personal data breach?
The Data Protection Agency has expressed criticism of a municipality, inter alia, because the municipality had failed to notify a personal data breach to the Agency or communicate the breach to the affected employee.
Access to work emails? Can a request to access data be too extensive?
Under the GDPR, a data controller must provide a data subject with access to all personal data which the data controller processes about him or her, if the data subject requests it. However, the data controller may refuse to act on such a request if, for example, the scope of the request for access is excessive.