Responsibilities of controllers
If you are a controller, you are responsible for ensuring your processing – including any processing carried out by a processor on your behalf – complies with the GDPR. Your GDPR responsibilities include the following:
- Compliance with the data protection principles: you must comply with the data protection principles listed in Article 5 of the Applied GDPR. For more information please see our guidance.
- Individuals’ rights: you must ensure that individuals can exercise their rights regarding their personal data, including the rights of access, rectification, erasure, restriction, data portability, objection and those related to automated decision-making. For more information please see our guidance.
- Security: you must implement appropriate technical and organisational security measures to ensure the security of personal data. For more information please see our guidance.
- Choosing an appropriate processor: you can only use a processor that provides sufficient guarantees that they will implement appropriate technical and organisational measures to ensure their processing meets Applied GDPR requirements. This means you are responsible for assessing that your processor is competent to process the personal data in line with the Applied GDPR’s requirements. This assessment should take into account the nature of the processing and the risks to the data subjects. See more about using processors
- Processor contracts: you must enter into a binding contract or other legal act with your processors, which must contain a number of compulsory provisions as specified in Article 28(3). For more information please see our guidance.
- Notification of personal data breaches: you are responsible for notifying personal data breaches to the Information Commissioner and, where necessary, other supervisory authorities in the EU, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. You are also responsible for notifying affected individuals (if the breach is likely to result in a high risk to their rights and freedoms). For more information please see our guidance.
- Accountability obligations: you must comply with the Applied GDPR accountability obligations, such as maintaining records, carrying out data protection impact assessments and appointing a data protection officer. For more information please see our guidance on accountability and data protection officers.
- International transfers: you must comply with the GDPR’s restrictions on transfers of personal data outside the EU. For more information please see our guidance.
- Co-operation with supervisory authorities: you must cooperate with supervisory authorities and help them perform their duties.
Registration: you must register and pay the relevant fee unless you are exempt. For more information please see our guidance.