After four years of work and negotiations, the EU General Data Protection Regulation (GDPR), replacing the 1995 Directive, entered into force on the 25th May 2018. The GDPR brought about major changes in the data privacy regulatory environment. A major change heralded by the GDPR lied in the expanded territorial scope of its application. Now, any business, regardless of the legal entity ‘s location, must abide by the GDPR if it is in any way involved in the processing of personal data of individuals within the European Union. The GDPR distinguishes between data controllers (who determine ‘why’ and ‘how’ personal data should be processed) and data processors (who are responsible for processing the personal data on behalf of the controller), with different obligations attached to both categories.
A company must determine its role either as a data controller or a data processor, in order to comprehensively grasp the specific obligations and requirements of the GDPR. Under the GDPR, processors have specific legal obligations and legal liability in respect of a data breach. To lawfully process personal data pursuant to the GDPR provision, the processing of personal data is only permissible if it is lawful and transparent, for a specified purpose, limited to the relevant data necessary in relation to this purpose, and appropriately secured. The controller must ensure that the data processor offers sufficient guarantees regarding the GDPR requirements, with a written contract about these guarantees entered into between them.