Obligations of Controlling Services
A Service is a Controlling Service if it determines the purposes and means of a processing operation.
In practice, the Controlling Service decides what data is to be collected, what will be done with it and why (purpose, legal basis, retention period, transfer etc.).
When different Services define different purposes or means for a given processing operation, each Service will be a Controlling Service of the processing for which it defined purposes or means.
When purposes and means are determined jointly by one or more Service, these Services will jointly be Controlling Services of the processing operation.
As a controlling service, you must be sure that the processing of personal data that takes place under your responsibility is conform with OC 11.
In practice this means that:
- You must make sure that
- the basic principles of data processing are observed
- a valid lawful basis exist
- an applicable exception is present in case you have to process sensitive personal data
- You document the processing in a Records of Processing Operations (RoPO), and that you publish the corresponding Privacy Notice on forms, web pages, etc. so that the data subjects can easily find this information.
- You carry out a Data Privacy Impact Assessment if applicable.
- You apply the Data Privacy by Design and by Default approach when you set up or review processing operations, and keep detailed records of the privacy considerations that have been taken into account in this context.
- You handle requests of individuals who requests to exercise their data subject rights.
- You take the necessary actions to notify data breaches, in collaboration with the ODP.