Controller & Processor
A person who determines the purposes and means of the processing (using) of personal data is called a controller. A person who actually processes (uses) personal data is called a processor and might be used by the controller when it lacks capacity for processing the data.
This also means that you may be involved in the processing of other people’s data. For example, if your fellow students have shared their identity codes with you, so that you can buy online flight tickets for your joint trip, you have now become a user of their personal data.
However, there is an exception when you, as an individual, are not considered to be a data user: if you process someone’s personal data for purely personal or household activities and, at the same time, you don’t disclose this data to third parties.
If there has been a personal data breach which might result in a risk to the rights and freedoms of a person whose data have been processed, the controller has to inform about it the particular person and the Data State Inspectorate. Usually Data State Inspectorate should be notified about a data breach without undue delay and, where feasible, not later than 72 hours after the date breach.
example A personal data breach of such a nature may be a publication of personal data of a particularly sensitive nature, such as data concerning personal health and sex life, as it infringes person’s right to private life.
Article 1 (4)
Applicable as of 25 May 2018
Articles 2 (2) “c”, 4 (7) and (8), 24-34
Joint publication by the the EU Agency for Fundamental Rights and the Council of Europe