In this video, we look at the main actors under the GDPR. In particular, we look at the data subject, the controller and processor, and the supervisory authorities. Who is the data subject? The data subject is you, me, all of us living individuals to whom personal data relates. Who are the controllers, processors, and sub-processors? A controller is the individual or company that determines the purposes and means of processing. In other words, they determine why and how personal data are processed. The processor is the individual or company that processes personal data on behalf of the controller by following the controller's instructions. If they go beyond those instructions, then they become controllers themselves. Now, where a processor engages another processor to carry out a specific processing activity on behalf of the controller, we refer to this other processor as a 'sub-processor', although this term is not used in the GDPR. Can we give a practical example? Yes. Imagine that BestCare provides a healthcare management service, which runs on infrastructure as a service provider, CloudStore. Now, so BestCare uses CloudStore's services to process your personal data, to provide their services to you, and to keep track of you as a patient. This is the purpose of processing your data. BestCare determines why your data are processed. As to how BestCare is processing your data, they use CloudStore's cloud service, which is a key decision about the means of processing your data. Under the GDPR, as a controller, BestCare must provide clear instructions to CloudStore on how to process such data. When CloudStore follows those instructions, it acts as a processor, processing data on behalf of BestCare, to fulfill BestCare's purposes. In this case, BestCare is the controller and CloudStore is the processor. Sometimes, in the cloud context, the concept of a cloud customer giving 'instructions' to a cloud provider will have little, and possibly no substance, as the customer processes personal data in a 'self-service' manner using the provider's resources. Why does identifying who is the controller and who is a processor matter? The definition of these roles determines the responsibilities of the parties under the GDPR. Distinguishing between the two roles is important as the controller has many more obligations than the processor. For example, the controller is responsible for complying with the data protection principles, the legal grounds for processing, and with facilitating data subject rights. So, if you want to request access to, or erasure of, your personal data you must contact the controller, in this case, BestCare. The processor has only a few of the obligations that the controller has, such as data security and record-keeping obligations. In our example, both BestCare and CloudStore are responsible for the security of your health records, but only BestCare is responsible for responding to your requests to exercise your rights. But can CloudStore become a controller? Yes. If CloudStore processes data for its own purposes and not just for the purposes determined by BestCare. Imagine that BestCare's patients upload pictures of their health conditions on CloudStore. Pictures uploaded might include metadata such as the date and time of the picture, geo-location, mobile number, email, etc. In addition, CloudStore may have access to data about BestCare's patients' use of its cloud services. Combining such data may lead to creating detailed health care profiles about BestCare's patients, which CloudStore could then sell to advertisers or insurance companies. In that case, CloudStore would be processing that metadata for its own purpose, and beyond BestCare's instructions. CloudStore will be considered a controller in respect of that processing, and assume all of the controller's GDPR obligations, including the responsibility to have a legal basis for processing such data. Now, who are the Supervisory Authorities? Independent supervisory authorities monitor the application of the GDPR to protect data subject rights and ensure consistent application of the GDPR throughout the EU. They may initiate investigations on whether a controller or processor complies with the GDPR and issue fines for GDPR infringements. Each EU Member State has its own competent supervisory authority. For example, in Spain, the supervisory authority is the Agencia Española de Protección de Datos (AEPD) and in France, it's la Commission Nationale de l’Informatique et des Libertés (CNIL). What does this all mean? Well, usually, cloud providers act as processors processing personal data on behalf of their customers. But cloud providers can also act as controllers when they process personal data for their own purposes. When thinking about compliance with the GDPR, it's important to identify the relevant controller and processor roles. These determine the parties' obligations and potential liability to pay fines to supervisory authorities or compensation claims for damages to data subjects.
