United Kingdom
6.2.2. Data processors Data processors have their own set of responsibilities and are liable in their own right for non-compliance, as well as any contractual obligations or other liability to the controller on whose behalf they are processing personal data. The duties of processors include: 6.2.2.1. Processing Data Only on Instructions: A data processor must process personal data only as instructed by the data controller and must not process data for their own purposes. 6.2.2.2. Security Measures: Ensure that appropriate security measures are in place to protect personal data. This includes both technical and organisational measures to safeguard against unauthorised access, accidental loss, or destruction of data. 6.2.2.3. Confidentiality: Ensure that anyone who can access personal data is under a duty of confidentiality. 6.2.2.4. Sub-processors: Obtain prior written authorisation from the data controller before engaging any sub- processors, and ensure that sub- processors adhere to similar obligations laid out in the processor agreement.
6.2. Duties 6.2.1. Data controller
6.2.1.1. As discussed above, the data controller is primarily responsible for compliance with the laws relating to personal data. Controllers must comply with the obligations for processing set out in paragraphs 4.2.1 and 5, as well as taking the steps necessary to ensure that data subject’s rights, as set out in paragraph 6.1.1 are respected. 6.2.1.2. It is important that controllers do not see compliance as an afterthought or a matter of producing wordy policies that no- one reads. Art 25 UK GDPR sets out a primary obligation on controllers, to implement systems which are designed to comply with UK GDPR, and to integrate safeguards to meet the requirements of UK GDPR. 6.2.1.3. In addition, Art 5 UK GDPR sets out the “accountability principle”: “The controller shall be responsible for, and be able to demonstrate compliance with [the principles set out in 3.1.3].” Therefore, it is not enough to simply comply with UK GDPR; controllers must be able to show that they comply. 6.2.1.4. A further set of obligations is imposed on data controllers under PECR, in relation to electronic marketing. These obligations include: 6.2.1.4.1. a ban on unsolicited electronic marketing, except in limited circumstances, and provided an opt-out mechanism is included; and 6.2.1.4.2. the requirement for consent for the placing of non-essential cookies or similar technology on users’ browsers or equipment.
https://www.fladgate.com/
Made with FlippingBook - PDF hosting