Both data controllers
and data processors can be 100 percent liable for a violation of the GDPR, if both were involved in the relevant data processing.
First we must recognise three key actors within the Data Protection regime: the data controllers
, processors and subjects.Data controllers determine the purpose for and the manner in which the data collected on citizens is processed.
For example a retailer that hires a human resources company to handle payroll and other functions is the data controller
, while the human resources company is the data processor.
Another essential component within the regulation that businesses should understand is the difference between data controllers
The GDPR not only introduces the right to erase data (i.e., "to forget"), but it also encompasses the right "to be forgotten." The first specifies the need for a data controller
to delete data, and the second requires data to be deleted "from all possible sources" in which they reside (Bartolini & Siry, 2016).
Andrew Wallace, prosecuting, had earlier told the court: "A police officer is under a duty not to disclose personal data without the consent of the data controller
, who would be the chief constable."
Any organisation that decides on why and how personal data is processed is essentially a "data controller
." Therefore, the GDPR applies not only to businesses in the EU, but also to all organisations outside the EU that are processing personal data for the offering of goods and services to the EU, or that are monitoring the behaviour of data subjects within the EU.
Scality, a world leader in object and cloud storage, has launched its Scality Zenko, a Multi-Cloud Data Controller
, the company said.
Under Article 2(d) of Directive 95/46 "data controller
" was defined as the natural persons or entities "which alone or jointly with others determines the purposes and means of the processing of personal data", i.e.
That's seven trips to the affected radar scope, and a whole lot of exercise for the Flight Data controller
A DPC spokesman said: "If an individual is using CCTV or a body-worn camera and processing personal data beyond what is a 'personal or household activity' then they may assume the role of a data controller