The obligations of the processor are determined by the General Data Protection Regulation and the Personal Data Protection Act in several locations.
The General Regulation specifies the general obligations of processors and persons who process personal data on their behalf (processors). Among such obligations are the obligation to implement suitable security measures and the obligation to officially notify on violations of personal data. In accordance with the Regulation, the public sector and companies whose core activities include the collection or processing and require a regular and systematic monitoring of individuals or an extensive processing of specific types of data, shall appoint an official (responsible) person for the protection of data.
Operators will no longer be obliged to report the collections of personal data to the register of personal data collections, while the obligation to keep a record of processing activities remain. Additionally, these obligations go further and shall also be implemented for (contractual) processors.
The General Regulation shall also place more emphasis on (prior) implementation of the analysis of impacts on the protection of personal data, in case of security incidents, such as the loss of personal data, however, the obligation to report it to the supervisory authority and in certain cases to inform all affected individuals shall be implemented.
Until the ZVOP-2 is adopted, certain obligations for processors from ZVOP-1 shall apply, especially in respect of sectoral regulation. Obligations in individual areas (video surveillance, biometrics, transfer, etc.) are described in more detail below.