Who is the Data Controller (DC) and what are its responsibilities under the General Data Protection Regulation

The Data Controller (“DC”) is the person who, alone or jointly, determines the purpose and means of the processing of personal data; in other words, is the person who decides why other’s personal data is processed and how it would be processed. Art. 4 (7) GDPR determines the purpose and means of the processing of Personal Data (PD).

The data processor (DP) is an entity that processes personal data for the account, on instruction and under the authority of the Data Controller (DC)-other than the employee of the DC. This enity can be a natural or legal person, public authority, agency or another body. Art. 4 (8) GDPR process Personal Data (PD) on behalf of the Data Controller (DC).

Comply with the General Data Protection Regulation

Adopt appropriate technical organisational measures which implement the date protection principles conform to data protection by Design and Default. 

Demonstrate Compliance

Count with documentation that proves the measures you have in place to comply with the General Data Protection Regulation, the effectiveness of them and how they are reviewed and updated. 

Data Processor (DP)

If needed, only hire a Date Processor (DP) that provides sufficient guarantees in relation to the technical and organisational measures as required by the General Data Protection Regulation. You have to make a written contract. 

Records of Processing Activities

Maintain an internal document that demonstrates how and why the personal data is being processed (art. 30 (5) General Data Protection Regulation). 

Cooperation with the Authority

Cooperate with the Supervisory Authority with the performance of its tasks (art. 57 General Data Protection Regulation). 

Security of Processing

Respect the points set in the General Data Protection Regulation when implementing technical and organisational measures that ensure a level of security appropriate to the risk. 

Notification of personal Data breach

In case a data breach occurs and is likely to result in a high risk to rights and freedoms of a natural person, notify the data subject without undue delay (art. 34 (3) General Data Protection Regulation). 

Data Protection Impact Assessment (DPIA)

Carry out one when the processing is likely to result in high risk to the rights, freedoms or in compliance with codes of conduct or seeking the view of data subjects (art. 35 (5) (10) General Data Protection Regulation). 

Prior Consultation

If the result of a Data Protection Impact Assessment (DPIA) is “high risk in the absence of measures”, consult the authority prior the processing. 

Designation of a Data Protection Officer (DPO)

Appoint a Data Protection Officer (DPO) when a Data Controller (DC) is public entity (no courts) or the processing requires regular and systematic monitoring of data subjects on a large scale or is special data or criminal records 

Position of the Data Protection Officer (DPO)

Ensure that the Data Protection Officer (DPO) is involved, properly and in a timely manner in all the issues related to the processing, protect its independence and provide with the necessary resources to fulfil its tasks. 

Joint Controllers

Make an arrangement that determines the duties of each controller, keep the essence available to data subjects and designate a contract point for them. 

Data Controller (DC) established outside the European Union

Designate in writing a representative in the EU to be addressed in all the issues related to the processing of personal data (art. 27 (2) General Data Protection Regulation).

Previous Story

Rights of Data Subjects under the GDPR

Next Story

Who is the Data Processor (DP) and what are its responsibilities under the General Data Protection Regulation

Latest from Data Protection


VAN LEEUWEN LAW FIRM helps its clients to design a clear process in order to proactively…

Privacy at Work

VAN LEEUWEN LAW FIRM assists its clients in implementing global data protection agreements as well as…