The controller’s obligations under the GDPR

In the previous article, we identified which companies are required to comply with GDPR.

But what to do if you fall into this category and your company is a controller of personal data. In order to find out the answer to this question, we need to determine what obligations are included in GDPR.

A data controller is someone who interacts with the customer, collects the data and determines how it is further processed.

The controller’s main obligations under GDPR are as follows:

  1. Implement appropriate technical and organizational measures designed to implement data-protection principles, such as data minimization, and to integrate the necessary safeguards into the processing in order to meet the requirements of the Regulation and to protect the rights of data subjects. (Article 25);
  2. Comply with the principles set out in par. 1 Art. 5 and be able to demonstrate compliance with them (Art. 5);
  3. Engage a processor that provides sufficient safeguards to implement the appropriate technical and organizational measures, in such a manner that the processing meets the requirements of the Regulation. The contract with the processor must be in writing. (Art. 28);
  4. Maintain a record of personal data processing activities (Art. 30);
  5. Cooperate, on request, with the supervisory authority in the performance of its tasks. (Art. 31);
  6. Implement the technical and organizational measures set out in Article 32. To ensure a level of security appropriate to the risks (art. 32);
  7. Notify the competent authority and the personal data subject in the event of personal data breach, where feasible, not later than 72 hours after having become aware of a personal data breach(Articles 33 to 34);
  8. Carry out an assessment of the impact of the envisaged processing operations on the protection of personal data which, in terms of their nature, scope, context and purpose, is likely to result in a high risk to the rights and freedoms of natural persons (Article 35);
  9. Consult with the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk (Article 36);
  10. Designate an official (inspector) responsible for personal data protection where the processing is carried out by a public authority / the core activities of the controller consists of data processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale / the core activities of the controller or the processor consist of processing special categories of data on a large scale under Article 9 and personal data relating to criminal convictions and offences referred to in Article 10 (Article 37);
  11. Ensure the proper and prompt involvement of the data protection officer in all issues which relate to the protection of personal data, protect his/her independence and provide resources necessary to carry out those tasks (art. 38 and 39);
  12. Appoint, in writing, a representative in the EU, in case the controller is registered outside the EU.

Legarithm lawyers are GDPR specialists, we can help your business comply with all GDPR requirements. Chat with us to review your business processes for GDPR compliance and analyze your existing and potential risks of fines.


Mon-Fri 10:00-19:00


Konyskoho St. 55А, Kyiv, Ukraine, 04053


Mon-Fri 10:00-19:00


Harju maakond, Tallinn, Kesklinna linnaosa, Tuukri tn 19-315, 10152


Mon-Fri 10:00-19:00

United States

228 Park Ave S PMB 516920 New York, New York 10003-1502 US