GDPR standards apply to your employer and are fulfilled by its staff
Your organization can be a controller, a joint controller or a processor
Ask for internal guidance on how to cooperate and share data with other organizations and third parties
As I mentioned when talking liability, most data protection norms are binding to your employer. Your organization must implement adequate organizational and technical measures to ensure and be able to demonstrate compliance.
No matter what your organization is: little, large, public, private, for profit or not for profit, under data protection law, it can be a data controller, joint controller, processor or a further processor.
Typically your organization is a controller, acting on its own behalf and determining purposes and means of data processing. Sometimes, it becomes a processor, providing services towards data entrusted by other entities (e.g. storage). Your organization can also be a further processor, supporting data processing by initial processors (e.g. sub-subcontractor).
There might be a case, where a process is carried out jointly with another entity. For instance, there is a joint recruitment process for a whole capital group, or one webpage is jointly used by several companies to offer related products (let’s say babysitting and fairy tale video rental). Entities that jointly determine purposes and means of processing are joint controllers.
Similar with other organizations – if you share data with them, check if they are separate controllers, joint controllers, or maybe there is a controller-processor relationship with your firm. Sometimes, you share data with other third parties, who do not always apply data protection law – for instance wide public and people who process data for purely personal purposes. All these roles have different responsibilities and your organization should provide you with a clear framework for each type of cooperation.
Table of contents:
Self-implement GDPR in 16 steps: