A recurring issue in the implementation processes of the General Data Protection Law is the definition of who is the controller and who is the operator of personal data. Often, during the negotiation, one party contractually points out that it must be the controller of the data, but what does this really mean?
The General Data Protection Law introduced the concept of processing agents, the controller and the operator. Basically, the definitions of controller and operator can be summarized in a few lines: the controller is the one who is responsible for decisions regarding the processing of personal data, and the operator is the one who performs the processing of data on behalf of the controller.
Although the definition is simple, its practical application generates numerous challenges related to the framing of the contractual parties in one or another classification.
Importantly, above all, the roles of controller and operator are not necessarily related to contractual, contractor and contractor positions and, therefore, it is not recommended that they be treated in this way.
This relationship may even vary in the course of interaction with the data subject. Thus, those who have autonomy and independence in relation to the use of personal data should be considered as controllers, being able to decide on the purpose of the data processing, the category of data to be collected, which is the retention period, among other issues directly related to data processing. The operator will carry out data processing activities, always on behalf of the controller.
Thus, it is the case of online sales activities, in which the portal that performs the sale is the data controller, while the transport service used, in this situation, will act as an operator, to meet the specific purpose of delivering the products to the customer. buyer.
Both have legal responsibilities
Regardless of being a controller or operator in the personal data processing relationship, the General Data Protection Law points out responsibilities for both parties, from the need to comply with all the principles related to the processing of personal data, to the need to meet the rights data subjects and determinations of the National Data Protection Authority.
Due to these provisions and the need to organize the way the controller and the operator fulfill these rights, the establishment of contractual clauses is recommended. Even if the LGPD does not expressly provide for this need.
It is therefore recommended to contractually define the object and duration of the data processing, the nature and purpose of the data processing, the types of personal data involved and the rights and obligations of the parties related to compliance with the provisions of the General Protection Law of Data.
Thus, a better relationship between the parties is sought with regard to the protection of personal data.
Raphael Valentim, author of this article, is an associate at Loeser, Blanchet e Hadad Advogados.