“Data Controllers” may be natural or legal persons, SMEs, public authorities, organisations, or other bodies which, alone or jointly with others, use personal data for the specific purposes.
The GDPR strongly emphasises the “accountability” of the data controller. Data controllers must adopt policies and implement appropriate measures to ensure data security; they need to be able to demonstrate that the processing of personal data is in accordance with the law; ensure that data are processed lawfully, correctly and transparently.
The GDPR gives data controllers the possibility to make decisions regarding the processing of personal data and they are legally responsible for complying with the obligations laid down in the personal data protection regulations.
Data controllers can decide independently on the methods, guarantees and restrictions on the processing of personal data, applying the principles of the GDPR. First of all, the principle of ‘data protection by design and by default’, i.e. the need to configure data processing by default (e.g. by applying psidonimisation and data minimisation) and default settings (e.g. determining data retention periods and to whom they may be available) in accordance with the GDPR, in order to protect the rights of the data subject, taking into account the general context in which the processing takes place and the risks to the rights and freedoms of data subjects.
The data controller must also notify the supervisory authority (in HR this is the Croatian Data Protection Authority, in Italy Garante Privacy) of personal data breaches within 72 hours and “without undue delay”, but only if it considers the breach likely to result in a risk to the rights and freedoms of the data subject.
Find out more about GDPR basics at: https://arc-rec-project.eu/wp-content/uploads/2021/03/Osnove-zastite-podataka.pdf
https://arc-rec-project.eu/wp-content/uploads/2022/02/ARC-Guidance-for-SMEs.pdf