Chapter 4: Controller and processor obligations
Controller and processor obligations
Responsibility of the controller
Implement appropriate technical and organisational measures to ensure and demonstrate compliance.
Data protection by design and by default
Bake in privacy from design stage; default settings should minimise data.
Joint controllers
Joint controllers must transparently determine and document respective responsibilities.
Representatives of controllers or processors not established in the Union
Non-EU controllers/processors offering services to EU subjects must designate an EU representative.
Processor
Processors must offer sufficient guarantees; controller-processor relationship governed by binding contract (DPA).
Processing under the authority of the controller or processor
Personnel may only process personal data on documented instructions from the controller.
Records of processing activities
Maintain detailed records of processing activities (RoPA); required for orgs ≥250 staff or higher-risk processing.
Cooperation with the supervisory authority
Controllers/processors must cooperate with supervisory authorities upon request.
Security of processing
Implement appropriate security measures: pseudonymisation, encryption, confidentiality, integrity, availability, resilience, testing.
Notification of a personal data breach to the supervisory authority
Notify supervisory authority within 72 hours of becoming aware of a breach (unless unlikely to result in risk).
Communication of a personal data breach to the data subject
Notify affected data subjects without undue delay when breach likely to result in high risk.
Data protection impact assessment
DPIA required for high-risk processing (large-scale, sensitive data, systematic monitoring, new technologies).
Prior consultation
Consult supervisory authority before processing where DPIA indicates high residual risk.
Designation of the data protection officer
Mandatory DPO for public authorities, large-scale systematic monitoring, or large-scale special category processing.
Position of the data protection officer
DPO must be involved early, given resources, independent, and report to highest management.
Tasks of the data protection officer
Inform/advise, monitor compliance, advise on DPIAs, cooperate with supervisory authority.
Codes of conduct
Industry associations may draw up codes of conduct, subject to supervisory authority approval.
Monitoring of approved codes of conduct
Accredited bodies monitor compliance with approved codes of conduct.
Certification
Voluntary data protection certification mechanisms to demonstrate compliance.
Certification bodies
Requirements for accreditation of certification bodies issuing GDPR certifications.