Link Search Menu Expand Document
Responsible data management toolbox

3.3 Data protection roles and responsabilities


Keep in mind

The role of a DPO is to advise and support your data protection implementation, particularly in the field.

Depending on whether you are a “controller” or “processor” on data management activities, your responsibilities differ: it is important to clarify them to reduce risks and have the right tools.

The data processing register allows you to have traceability and a complete picture of the usage of personal data within your organisation.

As OCHA put it in the title of its study “We Are All Data People: Insights from the Data Literacy Survey,” data management is not only the prerogative of technical specialists. By extension, data protection is also a problem that cuts across much of an organisation’s members. Each one deals with data and must keep with respectful practice, the latter often depending on the weakest link (the one who, without realizing the implications, will irresponsibly manage his or her passwords, use his or her personal computer for business reasons, etc.).

There are however different and more formal responsibilities within the organisation, depending on the role the organisation plays. These are the ones we are presenting here.

3.3.1 What is the role of a DPO, a controller and a processor in relation to field operations?

3.3.2 How do I learn about the responsibilities of an organisation?

To find out whether your organisation is a processor or a controller, you can take the test provided by the ICO (here in its original version). It is not uncommon for an organisation to perform both functions at the same time, depending on the circumstances in which they process the data.

Sometimes, and this is the case when your organisation is in partnership or consortium with others, a joint controller function is possible: the mission is carried out jointly with the same responsibilities. It is then recommended to clarify, for example through a joint responsibility agreement, the roles of each co-controller in relation to their shared responsibilities.

This ICO test will allow you to establish your responsibilities for each type of processing.

Are we a controller?

  • We have decided to collect or process the personal data.
  • We have decided what the purpose or outcome of processing was to be.
  • We have decided what personal data should be collected.
  • We have decided which individuals to collect personal data about.
  • We obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller.
  • We are processing the personal data as a result of a contract between us and the data subject.
  • The data subjects are our employees.
  • We make decisions about the individuals concerned as part of or as a result of the processing.
  • We exercise professional judgement in the processing of the personal data.
  • We have a direct relationship with the data subjects.
  • We have complete autonomy as to how the personal data is processed.
  • We have appointed the processors to process the personal data on our behalf.

Are we a joint controller?

  • We have a common objective with others regarding the processing.
  • We are processing the personal data for the same purpose as another controller.
  • We are using the same set of personal data (e.g. one database) for this processing as another controller.
  • We have designed this process with another controller.
  • We have common information management rules with another controller.

Are we a processor?

  • We are following instructions from someone else regarding the processing of personal data.
  • We were given the personal data by a customer or similar third entity, or told what data to collect.
  • We do not decide to collect personal data from individuals.
  • We do not decide what personal data should be collected from individuals.
  • We do not decide on the lawful basis for the use of that data.
  • We do not decide what purpose or purposes the data will be used for.
  • We do not decide whether to disclose the data, or to whom.
  • We do not decide how long to retain the data.
  • We may make some decisions on how data is processed, but implement these decisions under a contract with someone else.
  • We are not interested in the end result of the processing.

You can refer to Solidarités International’s “data processing agreement” template, to draw up a subcontracting agreement clarifying roles and responsibilities between the organization responsible for processing and the subcontractor.

3.3.3 What is the purpose of the data processing register?

In the context of data protection, personal data processing activities must be documented in a processing register. It is a tool that allows you to list all of the types of processing that your organisation carries out on personal data, to have a traceability of the actions carried out and to identify the persons responsible. To summarise, this document is useful for you to have an overall view of the use of the personal data that you have collected. It lists:

  • the stakeholders (representative, processors, joint controllers, etc.) who are involved in the data processing,
  • the categories of data processed, what the data is used for (what you do with it), who accesses the data and to whom it is communicated,
  • how long you retain the data,
  • how the data is secured.

If you are an NGO with less than 250 employees, the register should only contain the following information:

  • “non-occasional data processing (example: payroll management, customer/prospect and supplier management, etc.)
  • processing that may impact the rights and freedoms of data subjects (e.g. geolocation systems, video surveillance systems, etc.)
  • processing of sensitive personal data (e.g. health data, offences, etc.).”