• Courses
      • Global Series of National Privacy Laws
      • Netherlands Privacy Academy (in Dutch)
      • Caribbean Privacy Academy (in Dutch)
    • Resources
    • Join GADPPRO ACADEMY
      • Join GADPPRO Academy as an Official Partner
      • Become an Official GADPPRO Training Entity
      • Join the GADPPRO Business Academy
      • Secretariat & International Training Centre
      • Contact Us
    •  
      • RegisterLog in
    Privacad GADPPRO Academy
      • Courses
        • Global Series of National Privacy Laws
        • Netherlands Privacy Academy (in Dutch)
        • Caribbean Privacy Academy (in Dutch)
      • Resources
      • Join GADPPRO ACADEMY
        • Join GADPPRO Academy as an Official Partner
        • Become an Official GADPPRO Training Entity
        • Join the GADPPRO Business Academy
        • Secretariat & International Training Centre
        • Contact Us
      •  
        • RegisterLog in

      Blog

      Privacy Guidelines on Data Processor and Data Controller

      • Categories Blog, Business, Design / Branding, Free Data Protection Resources, Uncategorized
      • Date September 9, 2020

      Guidelines 07/2020 on the concepts of controller and processor in the GDPR

      Executive Summar
      Recitals by The European Data Protection Board
      Introduction
      PART I
      CONCEPTS
      Section 1
      General Observations
      Section 2
      Definition of Controller
      Section 2.1
      Definition of controller
      Paragraph 2.1.1
      Natural or legal person, public authority, agency or other body
      Paragraph 2.1.2
      Determines
      Paragraph 2.1.3
      Alone or jointly with others
      Paragraph 2.1.4
      Purposes and means
      Paragraph 2.1.5
      Of the processing of personal data
      Section 3
      Definition of Joint Controllers
      Section 3.1
      Definition of joint controllers
      Section 3.2
      Existence of joint controllership
      Paragraph 3.2.1
      General considerations
      Paragraph 3.2.2
      Assessment of joint participation
      Subparagraph 3.2.2.1
      Jointly determined purpose(s)
      Subparagraph 3.2.2.2
      Jointly determined means
      Paragraph 3.2.3
      In case there is no joint controllership
      Section 4
      Definition of Processor
      Section 5
      Definition of Third Party/Recipient
      PART II
      CONSEQUENCES OF ATTRIBUTING DIFFERENT ROLES
      Section 1
      RELATIONSHIP BETWEEN CONTROLLER AND PROCESSOR
      Section 1.1
      Choice of the processor
      Section 1.2
      Form of the contract or other legal act
      Section 1.3
      Content of the contract or other legal act
      Paragraph 1.3.1
      The processor must only process data on documented instructions from the controller (Art. 28 (3) (a) GDPR)
      Paragraph 1.3.2
      The processor must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art.28 (3) (b) GDPR)
      Paragraph 1.3.3
      The processor must take all the measures required pursuant to Article 32 (Art.28 (3) (c) GDPR)
      Paragraph 1.3.4
      The processor must respect the conditions referred to in Article 28 (2) and 28 (4) for engaging another processor (Art.28 (3) (d) GDPR)
      Paragraph 1.3.5
      The processor must assist the controller for the fulfilment of its obligation to respond to requests for exercising the data subject’s rights (Article 28 (3) (e) GDPR)
      Paragraph 1.3.6
      The processor must assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 (Art.28 (3) (f) GDPR)
      Paragraph 1.3.7
      On termination of the processing activities, the processor must, at the choice of the controller, delete or return all the personal data to the controller and delete existing copies (Art.28 (3) (g) GDPR)
      Paragraph 1.3.8
      The processor must make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller (Art.28 (3) (h) GDPR).

                                                       

      Section 1.4
      Instructions infringing data protection law
      Section 1.5
      Processor determining purposes and means of processing
      Section 1.6
      Sub-processors
      Section 2
      CONSEQUENCES OF JOINT CONTROLLERSHIP
      Section 2.1
      Determining in a transparent manner the respective responsibilities
      Section 2.2
      Allocation of responsibilities needs to be done by way of an arrangement
      Paragraph 2.2.1
      Form of the arrangement
      Paragraph 2.2.2
      Obligations towards data subjects
      Section 2.3
      Obligations towards data protection authorities

      • Share:
      author avatar
      Privacy Professor

      Professor mr drs Romeo F. Kadir MA MSc LLM LLM (Adv) EMBA EMoC

      At present Romeo Kadir serves as the President of the Global Association of Data Protection Professionals Europe (GADPPRO). GADPPRO is a thought leader self-regulatory association of data protection professionals based in the European Union, active around the globe and the first European Association of data protection professionals open for members outside the EU. Please visit www.gadppro.org for more information.

      First appointed Data Protection Officer (DPO) ever in the Netherlands (European Union) at a semi-public entity. Seasoned European Privacy and Data Protection Expert (22+ years of practical experience in EU Privacy and Data Protection Law, Business Management, Compliance and Ethics).

      Studied European and International Law, Political Sciences and Business Administration. Romeo Kadir is EIPACC EADPP Professor European Privacy & Data Protection Law at Universitas Padjadjaran UNpad (Indonesia) and Honorary Visiting Research Fellow with O.P. Jindal Global University (New Delhi), Senior Associate Fellow with Vidhi Centre for Legal Policy (New Delhi), Lecturer Science Honours Academy and Lecturer at the International Molengraaff Institute, Utrecht University (UU, Netherlands). In 2010 he was founder of the first European Data Protection Academy focusing on privacy-only executive education.

      Present Occupations in European Data Protection Law

      Member of the International Bar Association (IBA)
      Member of the International Board of Experts with EuroPrivacy Certification Scheme (Geneva and Luxembourg)
      Member of the International Strategic Board with EuroPrivacy Certification Scheme (Geneva and Luxembourg)
      Member of the Swiss-Chinese Law Association (SCLA)

      Former Occupations in European Data Protection Law

      President European Institute for Privacy, Audit, Compliance & Certification (EIPACC)
      Co-Founder/Vice-President European Association for Data Protection Professionals (EADPP)
      Chair EADPP Certification Committee Data Protection Professionals,
      Chair EADPP Academic Board
      Chair EADPP Expert Committee on Cybersecurity
      Chair EADPP Expert Committee on Artificial Intelligence (AI)
      President Supervisory Board of the Dutch Privacy Complaints Office (NPKI)
      Rapporteur to UN Monitoring Commission Human Rights on behalf of the Dutch Privacy Foundation (SPN)

      Publications

      'Handbook DPO - A Practical Guide', Privacy Publishing Group (2017)
      Editor-in-Chief of ‘Data Protection Dictionary’, authored, edited and coordinated ‘Handbook for the Data Protection Officer – A practical Guide’, ‘The Ultimate GDPR Business Guide – Six Volumes’ and other relevant books in the field of privacy and data protection (www.dataprotectionbooks.com)

      www.romeokadir.eu

      Previous post

      Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
      September 9, 2020

      Next post

      Privacy
      September 10, 2020

      You may also like

      Children Safety Encryption www.privacad.com
      Apple’s New Step to Protect Child Abuse via Encryption Feature
      20 August, 2021
      DNA Technology and Privacy www.privacad.com
      DNA Technology Regulation Bill and Violation of Privacy for Minority Groups
      19 August, 2021
      www.privacad.com
      India accuses Twitter of not complying with new IT rules
      18 August, 2021

      Search

      Categories

      • Blog
      • Business
      • Design / Branding
      • Free Data Protection Resources
      • Nederlandse Privacy Academie
      • Uncategorized
      Facebook-f Linkedin-in

      © Privacad 2020

      For all your questions about courses

      students@privacad.com

      For all your questions about Privacad for business

      info@privacad.com

      Links

      • Courses
      • Become a GADPPRO Academy Official Training Entity
      • Resources
      • Free Data Protection Resources
      • Blog
      • Profile
      • Students Stewards Network (SSN)

      Support

      • Privacy Policy
      • Terms of Use
      • FAQs
      • Contact

      © GADPPRO Academy | Privacad 2022

      GADPPRO Academy 2022

      Login with your site account

      Lost your password?

      Not a member yet? Register now

      Register a new account

      Are you a member? Login now