Some fundamental concepts
When “processing” personal data, three parties act:
- The data controller
Sometimes also referred to as the “controller”. This is the party that request the processing of your data. In most cases, this is an organisation that exchanges documents with you through Doccle.
- The data processor
This is the party that actually performs an action with the data, at the request of a data controller.
- The person concerned
That is you as a Doccler, together with all other Doccle users.
The data controllers are the companies for which you have a “connection” via Doccle. You do this, for example, to receive invoices or other documents from the company, or to make payments to them. When adding such a connection, you as a Doccler give explicit permission to process your data. After all, without this data these companies and organisations are unable to provide you their services via Doccle.
The data controllers are responsible for taking the technical and organisational measures that are necessary for demonstrably carrying out the data processing in accordance with GDPR. The obligations of controllers concern principles such as lawfulness, reasonableness, transparency, purpose limitation, data minimisation and accuracy, as well as fulfilment of your rights.
The data controller determines the purposes and means for processing personal data, while the data processor processes the data by order of this controller.
Doccle only has the function of data controller if you upload documents yourself, create and manage your profile, use your eID or itsme, make payments through Doccle, conclude a SEPA direct debit, electronically sign or make a Scan & Pay payment via our mobile app. In that case Doccle processes your data based on your implicit consent. Find out more about these processing operations here.
The specific nature of the Doccle service provision means that we are data processor as well as data controllers in certain cases.