In GDPR and other privacy laws, the data controller has the most responsibility when it comes to protecting the privacy and rights of the data’s subject. According to article 4.7 of the GDPR, the data controller is the following: “controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”


His status as Responsible makes him subject to the requirements established in the regulations:

Privacy Impact Assessment: The data controller must carry out an impact evaluation of the treatment operations before the start of these. This evaluation should be carried out with the advice of the DPO (Data Protection Officer).

Definition and application of measures: The Data Controller must apply the appropriate measures so that the processing of personal data is carried out in accordance with the regulations.

Accountability: The data controller must agree who should act as the sole point of contact for the Interested Parties in the exercise of their rights.

Record of processing activities: The data controller must keep a record of all categories of personal data processing activities carried out under his responsibility.

Security: The Data Controller must assess the adequacy of the level of security to be applied in the processing of personal data.

Notification of a personal data breach to the supervisory authority: In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent.

Of course, data controllers also need to:

  • Work with supervisory authorities.
  • Facilitate the exercise of data subject rights.
  • Deliver upon their important duty of information, also when the personal data have not been obtained from the data subject.
  • Make sure that in case of doubt they resort to the proper methods to check whether an intended new data processing activity is likely to result in high risks or not.
  • Chose the proper processors with a clear duty to only work with processors who have the right safeguards in place.
  • Consider the special data categories and the special rules regarding the personal data of children.