What obligations do controllers have under GDPR?

Data controllers and their responsibilities

sets out the responsibilities of controllers. We have attempted to summarise them here but recommend you refer to the regulation for the definitive rules.

Controllers make decisions about processing activities. They exercise overall control of the personal data being processed and are ultimately in charge of and responsible for the processing.

When customers use our services to run surveys to collect personal data from Respondents they are the controller for that data.

Preignition is a data controller in relation to the personal data that we collect from customers to set up and run their accounts.

What the responsibilities of a controller?

If you are a controller, you are responsible for ensuring your processing – including any processing carried out by a processor on your behalf – complies with the GDPR. The GDPR responsibilities of a controllers include the following:

• Compliance with the data protection principles: you must comply with the data protection principles listed in Article 5 of the GDPR.

• Individuals’ rights: you must ensure that individuals can exercise their rights regarding their personal data, including the rights of access, rectification, erasure, restriction, data portability, objection and those related to automated decision-making.

• Security: you must implement appropriate technical and organisational security measures to ensure the security of personal data.

• Choosing an appropriate processor: you can only use a processor that provides sufficient guarantees that they will implement appropriate technical and organisational measures to ensure their processing meets GDPR requirements. This means you are responsible for assessing that your processor is competent to process the personal data in line with the GDPR’s requirements. This assessment should take into account the nature of the processing and the risks to the data subjects.

• Processor contracts: you must enter into a binding contract or other legal act with your processors, which must contain a number of compulsory provisions as specified in Article 28(3).

• Notification of personal data breaches: you are responsible for notifying personal data breaches to the supervisory authorities in the EU, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. You are also responsible for notifying affected individuals (if the breach is likely to result in a high risk to their rights and freedoms).

• Accountability obligations: you must comply with the GDPR accountability obligations, such as maintaining records, carrying out data protection impact assessments and appointing a data protection officer.

• International transfers: you must comply with the GDPR’s restrictions on transfers of personal data outside of the EU.