And :D??

Thanks Adrian! We've got that scheduled and it's rising to the top of the queue, it's a great topic.

Great topic for a video, thanks Madhvi! It's essentially the same as if each group member is an unknown third party. There's no free passes for group members. If you have BCRs (and wow, only 200 groups have ever had BCDRs approved so you most likely do not have BCRs) then the BCRs set out the rules - still no free pass, the BCR is a chunky set of rules.

Great suggestion, thank you for contributing! Yes, we're looking to do a mini-series on Processors in the new year :)

Many thanks! We've not yet but will do :)

@@PrivacyKitchen great! I'm eagerly anticipating watching. By the way, I successfully passed the CIPP/E exam, and I must say your videos were particularly helpful in certain areas. Thank you! 😊

Congratulations!@@Tola_A

Individuals can be controllers in very limited circumstances (given the vast majority of personal data processing happens in the context of a legal entity with employees). In GDPR, a controller is the person who determines the purposes and means of the processing. 'Person' can be either a natural person (a human) or a legal person (an LTD, PLC etc). In an employer-employee context, it's normally the employer who determines purposes and means, not the employee enacting that for the employer. But if the employee goes off on a frolic of their own, outside their employee duties, they're likely to be the controller for that. And, outside that employment context, if a person on their own processes personal data for a purpose other than 'in the course of a purely personal or household activity' then the GDPR likely applies to them as a controller.

Tu peux metez les sous-titres en Francais.

For sure! Huge numbers of them in terms of controllers in breach. Here's the official EDPB website rounding up regulatory fines on controllers who breached GDPR: edpb.europa.eu/news/national-news_en. In terms of where people didn't know they were the controller, that's quite rare because you're either saying you didn't know GDPR applied (odd if you process personal data) or generally such rulings are where eg a list provider or recruiter says they're a processor (or joint controller or separate controller) - more about having an argument about what role you had.

@@PrivacyKitchen hmm that’s very helpful, let’s use today’s era as an example right, track and trace app for coronavirus. Would you think NHS is a data controller as they determine the why and how for processing personal data with the track and trace app and then the data processsors would be google, apple ect as they are allowing the app to operate on behalf of the controller. Or would you say nhs apple and google are joint controllers. Just tryna get a clear understanding with a current scenario! Any comment would be helpful

@@ajayxo6712 it's all fact specific but at first blush: NHS controller, everyone else it depends on their access to personal data (if no access, no GDPR role) and then their role

@@PrivacyKitchen thank you that is very informative... Facts are everything... In relation to that list and link you gave would you know any case where a company/person did not report a personal data breach but then was found guilty going against article 33(1) gdpr? Thanks in advance