Obligations of the controller / processor
A data controller is defined as any fiscal or legal person from the public or private sector who individually or together with others determines the purposes and ways of processing personal data.
A data processor is any fiscal or legal person, from the public or private sector, who processes personal data for and on behalf of the data controller.
The controller must always have a legal basis for processing personal data so that this processing is legitimate. The legal basis for processing personal data is defined in Article 5 of the LMDHP.
The controller and the processor are obliged to take technical and organizational measures every time they process personal data, which provide the necessary security for data protection.
Every time the controller processes personal data which he has received from the data subject, but also if he has not received this data from him, he is obliged to provide him with information regarding processing and to inform him of the rights. of the data subject which are guaranteed by law.
When the data controller decides to entrust the data processing to a processor, it must be ensured that it contracts a processor that provides sufficient guarantees to implement the appropriate technical and organizational measures for the processing to be carried out in accordance with the law as and guarantee the protection of the rights of the data subject.
The contract between the controller and the processor must be in writing to determine the object and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the controller.
The data processor can only operate within the limits of the data controller's authorizations and cannot process personal data for other purposes. The agency has set standard contractual clauses that you can get HERE. (download link)
In case of any violation of personal data, the controller, without delay and as the case may be, but not later than seventy-two (72) hours from the information of the violation, must notify the Agency for the violation of personal data, except when this violation does not pose any risk to the rights and freedoms of natural persons. If the processor notifies you of the breach, you must notify the controller of this breach without undue delay.
If the breach of personal data may result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the breach of personal data to the data subject without undue delay.
If the processing of personal data is done by a public institution, then the controller or the processor are obliged to appoint an Officer for Personal Data Protection and publish the contact details of this official. Whenever they appoint an official for the protection of personal data, or when they make any changes in this regard, they must also communicate their contacts to the Agency.
The data breach notification form can be downloaded here (download link)