Obligations of Controlling Services
Terminology
A Service is a Controlling Service if it determines the purposes and means of a processing operation.
In practice, the Controlling Service decides what data is to be collected, what will be done with it and why (purpose, legal basis, retention period, transfer etc.).
When different Services define different purposes or means for the same processing operation, each Service will be a Controlling Service for the part of the processing it has defined.
When purposes and means are determined jointly by two or more Service, these Services will be Joint Controlling Services.
As a controlling service, you must be sure that the processing of personal data that takes place under your responsibility is conform with OC 11.
In practice this means that:
- You must make sure that
- the basic principles of data processing are observed
- a valid lawful basis exist
- an applicable exception is present in case you have to process sensitive personal data
- You document the processing in a Records of Processing Operations (RoPO), and that you publish the corresponding Privacy Notice on forms, web pages, etc. so that the data subjects can easily find this information.
- You carry out a Data Privacy Impact Assessment if applicable.
- You apply the Data Privacy by Design and by Default approach when you set up or review processing operations, and keep detailed records of the privacy considerations that have been taken into account in this context.
- You handle requests of individuals who requests to exercise their data subject rights.
- You take the necessary actions to notify data breaches, in collaboration with the ODP.