Council of the European Union

General Secretariat
Data Protection Unit

Principles, actors and roles in the field

of Data Protection – EIPA, June 2018

Reyes Otero Zapata

Data Protection Officer
Council of the European Union
｜ 1｜
The processing principles of Article 5

1. Lawfulness, fairness and transparency

2. purpose limitation

3. data minimisation

4. accuracy

5. storage limitation

6. integrity and confidentiality

And accountability as a cornerstone: the controller shall be responsible for and be able to
demonstrate compliance with these principles

** Violation of principles may entail the highest possible fines

Further reading WP260 rev01 Guidelines on transparency, endorsed by EDPB

｜ 2｜
Lawfulness

To be lawful, at least one of the following applies:

• Data subject has consented to the processing

• Contract with the data subject
• Legal obligation of the controller
• Processing needed to protect the vital interests of the
data subject
• Controller fulfills a task carried out in the public interest
or exercises official authority
• Processing is necessary for the purposes of the legitimate
interests pursued by the controller

｜ 3｜
Consent

Tightened rules on consent

Consent to process special

categories of personal data

Stronger protection for

children’s consent

｜ 4｜
Conditions for consent

1. Consent must be a freely given, specific, informed and unambiguous

indication that the data subject agrees to the processing of its personal data
Controller to demonstrate consent
Clearly distinguishible from other matters, a clear affirmative act and as easy
to withdraw at any time as to provide it

2. Special categories of personal data: Explicit consent has to refer in a explicit

manner to the special categories of data
MS may provide that the prohibition to process this kind of data cannot be
lifted by data subjects

3. Stronger protection for children’s consent in relation to information society

services. Minimum age of 16 for valid consent from a minor. MS legislation
may provide for a lower age, provided that it is not below 13.

Further reading: WP259 rev01 Guidelines on consent, endorsed by the EDPB

｜ 5｜
Accountability

Controller’s accountability takes shape by:

• Being responsible and able to demonstrate compliance with the
principles of art 5
• Adopting organisational and technical measures to ensure security
• Data protection by design and default
• Towards data subjects: transparency and ensure the exercise of their
rights
• Records (to monitor processing operations and demonstrate compliance)
• Risk based approach – DPIAs and prior consultation
• Responsibilities towards processors
• Data breaches
• Cooperation with supervisory authorities

Further reading WP 173, Guidelines on the principle of accountability, not endorsed by

EDPB and WP248 rev01 Guidelines on DPIA, endorsed by EDPB

｜ 6｜
ACTORS

European
National
Data
Supervisor
Protection
y Authority
Board

Data
Processor
Subject

DPO Controller

｜ 7｜
DATA SUBJECTS

• At the center of data protection rules

• Risk assessment not related to the organisation but to their
rights
• Even if the controller is not established in the EU, GDPR applies
to them if there is an offer of goods and services to data
subjects in the EU or their behaviour is monitored
• Nationality or place of residence of data subjects becomes
irrelevant

｜ 8｜
CONTROLLERS, PROCESSORS AND
DPOs

Controller Data Protection Officer

｜ 9｜
Processor
CONTROLLERS

• Natural or legal person, or public authority who alone or

jointly with others determines the purposes and means of
the processing
• Application of GDPR to controllers/processors not
established in the EU. These shall designate a
representative in the EU
• Joint controllers introduced in art 26
• Controllers and processors are liable for compensation (art.
82), may be subject to administrative fines for infringements
of their obligations (art. 83) and can be taken to court (art.
79). Member states may lay rules on other penalties (art 84)

｜ 10
｜
PROCESSORS

• Processors proceses personal data “on behalf of the controller” and only
on documented instructions. Processor must be a separate legal entity or
individual from the controller.

• Must provide sufficient guarantees and shares responsibilities with the

controller. May only subcontract with the authorization of the controller.

• Art. 28 of GDPR – contract as a legal requirement and main element of

the relationship.

• Relevance of standard contractual clauses, codes of conduct or

certification mechanisms

• Cooperation between controllers and processors vital. And shall

cooperate with Supervisory Authority (art 31)

｜ 11｜
DATA PROTECTION OFFICERS

• Key role in helping ensuring compliance in an organisation (arts

37-39)
• Designation, position, independence
• Tasks: advice controllers, processors, and employees, monitor
compliance with Regulation, advice on DPIA, cooperate with SA
and be its contact point.
• Art 37 – cases where appointment of DPO is compulsory (for
controllers and processors).
• Requirements – qualifications – mandate - int/external position
• INVOLVED PROPERLY AND IN A TIMELY MANNER IN ALL
DATA PROTECTION ISSUES

Further reading, WP243 rev01 Guidelines on Data Protection Officers, endorsed by

EDPB

｜ 12
｜
SUPERVISORY AUTHORITIES

• Independent public authority, arts 4(21) and 51-59

• Monitor the application of the GDPR and contribute to its
consistent application in the EU
• Art. 4(22) Supervisory authority concerned (controller or
processor is established in the MS territory, data subjects
residing in the MS are substantially affected or a complaint
has been lodged with them)
• Territorial competence except cross broder processings:
appointment of lead authority
｜ 13
｜
SUPERVISORY AUTHORITIES II

• Tasks - art 57 - monitoring, public awareness,

investigations, guidelines, DPIA lists, handle complaints,
codes of conduct, certification mechanisms
• Powers - article 58 - Investigative, corrective, and
authorisation and advisory
• Obligation to provide mutual assistance to each other
(article 60)
• Joint operations (article 62) as joint investigations or
enforcement measures

｜ 14
｜
Lead Authority

｜ 15
｜
Lead Supervisory Authority

• Cross-border processings require a lead Authority (art. 56 and

60) as sole interlocutor of the Controller/Processor
• The SA of the main or single establishment of the
Controller/Processor. Unless complaint on a subject related to
an establishment in one MS or substantially affecting data
subjects in one MS (art. 56.3)
• Cooperation procedure between lead authority and other
authorities concerned described in article 60
• Exception: when the processing is carried by public authorities
acting on the basis of a legal obligation or public interest.

Further reading WP244 rev01 Guidelines for identifying a controller or processor’s lead
supervisory authority - endorsed by the EDPB

｜ 16
｜
EUROPEAN DATA PROTECTION
BOARD

• New independent monitoring body with legal personality

• Composition and role: arts 68-76
• EDPS Secretariat
• Ensures consistent application of GDPR – list of tasks in article 70
• Guidelines and final decision making body in the event of no
consensus in the cooperation and consistency mechanism
• Consistency mechanism – opinión of EDPB in certain cases or any
matter of general application concerning more tan one MS.
• Dispute resolution: binding decision.

｜ 17
｜
Other actors

• National courts
• European Court of Justice
• European Data Protection Supervisor (EDPS) - the
Supervisory Authority for EU Institutions

｜ 18
｜
 Thank you,
do you have questions?
data.protection@consilium.europa.eu

｜ 19
｜