DPDPB and GDPR: Obligations of Controllers and Processors

INTRODUCTION

Transparency and enforcement are required for successful personal data protection. The parties who are accountable for complying with the law should be clearly specified, as should their obligations and duties to ensure conformity and defend the rights of individuals, as well as the steps they must take if they do not.

The duties, obligations, and responsibilities of both the controller and the processor of data should be stated in legislation. The relationship involving processors and control systems should be addressed in the legislation, as should established standards for each party. Controllers and processors should be subject to the same standards for record-keeping, security, and the disclosure of data breaches.

The obligations of the regulation known as the General Data Protection Regulation apply to both controllers of information and data processors. Another example is that authorities and processors enter into a legally binding contract that controls personal data processing whenever a processor is employed to handle personal data under the direction provided by the controller (a “data processing contract”).

The GDPR’s definition of a “processor” has not been altered. The GDPR, on the other hand, places compliance duties on both administrators and processors, whereas the Directive traditionally only governed controllers. In the event any or both of the aforementioned parties violate compliance with the new EU privacy regulations, they will be punished severely and fined. The GDPR’s direct legal obligations for organisations that function as processors are critical. They are, however, as important to organisations that act as controllers and engage processing to manage confidential information on their behalf. This blog discusses the duties of data processors and controllers as outlined in both the General Data Protection Rules and the DPDP law.

DEFINATION IN PURSUANT TO GDRP and DPDP REGULATIONS:

Article 4(7) of the General Data Privacy Regulation defines a data controller as:

The term “controller” refers to a legal or natural person, a governmental authority, or other body that, alone or in conjunction with others, establishes the purposes and methods of personal data processing; in cases where those objectives and indications are established by collective bargaining or member state law, the controller’s identity or the particular conditions for its candidature may be specified by such law.

Article 4(8) of the GDPR defines a “data processor” as

A “processor” is a legal or natural person, governmental body, agency, or other organisation that processes personal data with the permission of the controller.

Clause 2(7) of the Digital Personal Information Protection Bill defines a data processor as any individual who handles private information on behalf of a company that holds the data and is commonly referred to as the “data processor.

COMPLIANCE TO BE MADE BY THE ORGANISATION

Organisations that act as processors or as controllers that hire processors should carefully consider the criteria for hiring processors.

They should analyse their present processing of data agreements, in particular, to see whether any changes are required.

When developing new data processing agreements, the GDPR’s standards should be observed.

Address the data processing functions that require that it operate as a processor

Ensure that it is cognizant of its responsibilities under the General Data Protection Regulation (GDPR) as a processor

Ensure that it has appropriate procedures and algorithms in place for discovering, analysing, and immediately informing the relevant control system of data breaches.

PROCESSOR AND CONTROLLER OBLIGATIONS UNDER GDPR:

The supplementary compliance obligations imposed by the GDPR are expected to result in substantial extra expenses for computer processors, which will certainly be passed on to clients. Furthermore, negotiations regarding processing agreements are projected to become more complicated as manufacturers become more precise about the terms of the contract and the scope of the controller’s directives.

Organisations that act as processes or controllers that hire processors should carefully assess the rules governing processor hiring. They should specifically evaluate any necessary changes to their present data processing agreements. GDPR regulations should be incorporated into new data processing agreements.

Data controllers as well as processors are responsible for taking all necessary actions to ensure legal compliance. To demonstrate that the handling is done in accordance with the law, it is not enough to just comply with the regulations; instead, they must clearly demonstrate how they have become compliant.

Data controllers as well as processors must implement appropriate organisational and technical protections to ensure that processing is carried out legally and that they can verify it

Both the system’s data administrator and data processor have a responsibility and duty to ensure the security of the infrastructure and data. Furthermore, they should be obligated by their obligations to inform and investigate breaches, as well as notify the relevant supervisory authority and data subjects.

The duty for protection should be broadened to incorporate the infrastructure and devices utilised at all stages of processing, such as production, collection, retention, and sharing. The legislation should contain security safeguards that go beyond just preserving the data.

SPECIFIC REQUIREMENTS FOR THE CONTROLLER AND THE PROCESSOR:

The Controller of Data:

The data administrator is the primary person responsible for guaranteeing that customer interests and privacy are respected, regulating access, and obtaining cookie consent. They have more decision-making liberty, but they also accept responsibility for mistakes.

Article 5 of the Regulation holds data controllers responsible for the truth, validity, and impartiality of information. They must also protect personal data privacy, truthfulness, and storage constraints. To avoid sanctions and GDPR monetary penalties, information controllers should only work with GDPR-compliant data processors.

Processor of data:

To qualify as a processor of data, one must satisfy two basic specifications: one must be a separate legal entity from the data controller, and you have to manage sensitive information on the controller’s behalf.

Data is not within the data processors’ control or ownership. As a result, they are incapable of changing their goal or technique of processing. Typically, data processors provide IT solutions, such as storage in the cloud. Data processing companies may also outsource some of their responsibilities to other processes or identify a joint processor if the data administrator has previously granted written authorization.

OBLIGATION UNDER DPDP

The DPDP Bill applies to personal data obtained in India: I online, II offline but subsequently transformed to digital form, IV outside India, and V outside the country but processed while connected with activities such as providing services or goods to data proprietors in India.

According to the DPDP Bill, data processors must secure personal data in their possession or control by taking reasonable security procedures to avoid an incident involving personal data, even though the duty always lies with the data fiduciary, who is the data principal.

Only an information processor may be hired by an organisation’s fiduciary to process individual information on behalf of that organisation. This should only be done with the consent of the data principal and after a valid contractual arrangement between the parties.

The processors of data that handle identifiable information on behalf of other organisations are subject to a number of independent statutory requirements (Clause 9) pursuant to the Digital Personal Data Protection Bill:

Taking reasonable security procedures to prevent an invasion of personal data in its custody or control

In the unlikely event of a personal data breach, notify the Board of Directors and each compromised data principal.

Accordingly, the data processor shall notify the consenting person about the information it has collected and the purpose of the processing.

Subcontract processing processes are permitted if permitted by the agreement entered into with the data fiduciary.

Contractual arrangements between the data processor’s custodian and the data processor, including inter-se accountability for promises, are not precluded under the bill.

CONCLUSION

Knowing what functions you perform is critical since the roles and obligations of a controller of data and a processor of data are distinct. For certain organisations and their service providers, the distinction may be less clear. As a result, the General Data Protection Regulation (GDPR) and DPDPB have defined the numerous roles and obligations of a data controller or data processor. As organisations struggle to comply with GDPR, the roles and responsibilities of both controllers and processors of data will be more important than ever. Compliance is dependent on the capacity you have to distinguish between the two and the manner in which they influence your duties based on the role that your organisation plays in any particular situation.

Once you understand them, the privacy enhancements are simple. They will help you defend yourself against common scam methods once they become established in your behaviour.

Click Here : Digital Personal Information Protection Bill