GDPR

2. Duties of controllers / processors

Under the General Data Protection Regulation (GDPR), both controllers and processors have certain obligations regarding the protection of personal data. Here are some important obligations that must be met by both parties:

Obligations of Controllers:

  1. Transparent information obligation: controllers must inform data subjects about the processing of their personal data. This information must be clear, precise and easy to understand.

  2. Lawfulness of processing: controllers may only process personal data in a lawful manner. This includes the existence of a legal basis (e.g., consent of the data subject or performance of a contract) and compliance with the data processing principles.

  3. Purpose limitation: data controllers may collect and process personal data only for specified, explicit and legitimate purposes. Further processing for incompatible purposes is only permitted in certain exceptional cases.

  4. Data economy: Controllers should collect only those personal data that are necessary for the processing purpose in question. No excessive or unnecessary data should be collected.

  5. Accuracy of data: Controllers are required to ensure that personal data is accurate and up to date. Inaccurate data must be corrected or deleted.

  6. Storage Limitation: Controllers should only store personal data for as long as necessary for the purpose of the processing. The duration of data storage should be clearly defined.

  7. Data security: Controllers must take appropriate technical and organizational measures to protect personal data from unauthorized access, loss or misuse.

Obligations of Processors:

  1. Data processing contract: Processors must enter into a written contract with the controller that specifies the data protection requirements under GDPR.

  2. Data processing on behalf: Processors may only process personal data in accordance with the instructions of the controller and may not use it for their own purposes or pass it on to third parties unless this is legally required.

  3. Data security: Processors must take appropriate technical and organizational measures to ensure the security of personal data.

  4. Support of the controller: Processors must support the controller in fulfilling its obligations under data protection law, for example, in implementing data subject rights or in conducting data protection impact assessments.