Who do these changes apply to?

Almost every employer will be impacted by the new rules and will have to adjust the way personal data of staff members are processed. 


The controller bears the most important responsibilities under the GDPR.

By controller is meant “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.

In most cases the employer is the controller. However, it is possible that two or more controllers jointly determine the purposes and means of processing.

The GDPR prescribes that “joint controllers” shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation. The arrangement may designate a contact point for data subjects. The arrangement must duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. Data subjects must have access to the content of the arrangement and they may exercise their rights under this Regulation in respect of and against each of the controllers.


The controller can appoint an external subcontractor to process personal data. The subcontractor, called a “processor”, is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

If a processor, while determining the purposes and means of processing, infringes this Regulation, the processor will be considered to be a controller in respect of such processing, including the liability involved.

Examples of processors include a social secretariat, a screening agency involved in recruiting and selection, an archive service for e-filing, a cloud service provider for storage of data, a security firm, an insurance company, or an external IT provider. Their obligations will increase under the GDPR.