In 2016, the EU ratified the General Data Protection Regulation (GDPR) with the intention to strengthen data protection mechanisms for all the people within the EU. The GDPR provides the regulatory framework indicating the role of data controllers in protecting data subject rights. Data controller refers to a person, entity responsible for determining the reasons and means for processing and accessing personal data (Osterman Research, 2017). This report is about the specific roles of data controllers with regard to personal privacy and the requirements for accessing information.
Role of the EU member state Controller with regards to EU citizen privacy protection
The controller has the responsibility of setting up the appropriate measures to ensure that data processing is compliant with the GDPR’s requirements. The controller must also demonstrate compliance with the privacy law using proactive measures of accountability. The GDPR’s regulations are not only concerned with privacy but the protection of personal data as a whole. Compliance requires a lot of effort including establishing ways to notify victims of incidents of a data breach to prevent fraud. The controller has the duty of accountability by ensuring personal data is processed according to the principles of data processing as mentioned in the GDPR. The data controller must be able to demonstrate that processing of personal data is lawful, fair and transparent; limited to the purpose; accurate; and maintains integrity and confidentiality (Milt, 2018). Controllers can use various mechanisms to demonstrate compliance, and this includes requirements for certification or approval by a legal entity. Controllers have the responsibility to cooperate with authority. They may be required to implement court decisions allowing access to personal information. However, the controller must ensure compliance with the principles of personal data access for EU citizens when implementing orders.
Controllers must consider the legal basis for accessing personal information. The lawful basis for allowing a request to access personal information includes compliance with a legal obligation. The controller risks incurring heavy penalties for failing to demonstrate the effort to protect the rights of the data subject. This means that the controller needs a legal basis before allowing an entity to access personal information.
The required communication methods needed to coordinate discovery requests with the Controller
Under the EU personal data privacy laws, US investigators must coordinate with EU data controllers to access information belonging to all the people within the EU. The communication for request of personal information regarding EU citizens should have a legal basis for proper coordination with the controllers (Information Commission Office, 2017). This approach considers the responsibilities of the controllers in respect to protecting the privacy rights of people within the EU. The controllers must demonstrate their effort to protect the interest of individuals, and thus requests for information should have legal backing. Data controllers may fail to effectively respond to requests without legal backing because they are legally liable for violation of privacy rights.
A request must demonstrate that the controller has a legal obligation to provide the requested information. For example, the use of a court order regarding the release of personal information provides the controllers with the legal basis to honor requests. As such, the communication should be enforceable through legal obligations by the controllers.
Conclusions and recommendations
The EU privacy law issues strict guidelines for access to personal data. The controller ensures that the standards set by the GDPR on the handling of personal data are maintained. Besides, the controllers are supposed to demonstrate accountability and effort in protecting personal privacy. US investigators should ensure that their requests for personal data meets requirements of the principals of data processing in EU and have legal backing. Controllers require a legal backing for the effective response to requests for personal information since they have a legal duty to protect the interest of individuals.
- Information Commission Office. (2017). Preparing for the General Data Protection Regulation (GDPR): 12 Steps to take now. Retrieved from https://ico.org.uk
- Milt, K. (2018). Personal data protection. European Parliament. Retrieved from http://www.europarl.europa.eu/
- Osterman Research. (2017). GDPR Compliance and Its Impact on Security and Data Protection Programs. Osterman Research White Paper. Retrieved from https://www.actiance.com