SkarpSkarp

Chapter 7 of 13

Controller and Processor Obligations: Accountability in Practice

Step into the shoes of controllers and processors as you map out contracts, records, DPIAs, DPOs and privacy by design, turning abstract accountability into concrete exam‑ready obligations.

15 min readen

Accountability in Practice: Controllers vs Processors

From Principles to Duties

We now turn GDPR principles into concrete duties: records, contracts, DPIAs, DPOs and privacy by design. These are core for exams and real-world compliance.

Who Is the Controller?

The controller decides why and how personal data are processed (purposes and essential means). It bears primary responsibility and must demonstrate compliance.

Who Is the Processor?

The processor processes personal data on behalf of the controller, following its documented instructions. Under the GDPR it also has direct legal obligations.

Example: University and Cloud Provider

A university using a cloud provider to host student data: the university decides purposes and means, so it is the controller; the cloud provider is the processor.

Joint Controllers

If two organisations jointly decide purposes and means, they are joint controllers and must transparently allocate GDPR responsibilities between them (Art. 26).

Exam Strategy

In any scenario, first ask: who sets the purposes and essential means? That party is (usually) the controller. This choice determines which obligations apply.

Accountability and Documentation: Records, Policies, Governance

What Is Accountability?

Under the GDPR, accountability means you must comply and be able to demonstrate compliance. Documentation is the main way to show this in practice.

Records of Processing (RoPA)

Art. 30 requires controllers and processors to keep records of processing activities: purposes, data categories, recipients, transfers, retention and security measures.

Small Organisation Exemption

The under-250-employee exemption is narrow: it does not apply if processing is not occasional, is risky, or involves special or criminal data. Most organisations keep records.

Policies and Procedures

Controllers typically maintain privacy notices, data protection and security policies, rights-handling procedures, breach response plans, and retention schedules.

Governance and Training

Accountability also needs people and processes: assigned roles, regular training, and checks or audits to ensure policies are followed in daily work.

Example: Online Shop

A medium online shop keeps a RoPA for customer, marketing and payment processing, has rights-handling workflows, and trains staff annually on privacy.

Data Protection by Design and by Default

Art. 25 in One Line

Article 25 requires controllers to build privacy into systems by design and to ensure privacy-friendly settings by default.

By Design

By design means integrating appropriate technical and organisational measures from the start, considering state of the art, costs, context and risks.

By Default

By default means that, unless the user changes settings, only the minimum personal data necessary for each specific purpose are processed.

Practical Measures

Examples: data minimisation in forms, strict access controls, pseudonymisation, short retention periods, and secure system architectures.

Example: Fitness App

A fitness app stores location data locally by default and only uploads it if users opt in. Profiles are private by default; sharing workouts is opt-in.

Exam Trigger

Whenever a scenario mentions a new app, system or feature, ask: what privacy-by-design and privacy-by-default measures should the controller implement?

DPIAs: When Are They Required?

What Is a DPIA?

A DPIA is a structured assessment used before high-risk processing to identify and reduce risks to individuals' rights and freedoms.

Mandatory DPIA Triggers

Art. 35 makes DPIAs mandatory where processing is likely to result in a high risk, especially with new technologies or certain listed operations.

Art. 35(3) Examples

Key examples: automated profiling with legal effects, large-scale processing of special or criminal data, and large-scale monitoring of public areas.

Additional Triggers

EDPB and national lists add triggers like large-scale tracking, combining datasets, or innovative tech with significant impact on individuals.

Exam Clues

Look for 'large-scale', 'systematic monitoring', 'special category data', 'profiling', 'new technology', or 'significant impact' as DPIA red flags.

When in Doubt

If risk is uncertain but potentially high, conducting a DPIA is a good accountability practice, even if not clearly mandated.

DPIA Content, Outcomes and Prior Consultation

What Must a DPIA Contain?

Art. 35(7) requires: description of processing and purposes, necessity and proportionality analysis, risk assessment, and risk-mitigation measures.

Describing the Processing

You must explain what data are processed, from whom, how, by whom, where, for how long, and for which purposes or legitimate interests.

Risks and Measures

Identify risks to individuals (for example, discrimination, loss of confidentiality) and describe concrete technical and organisational safeguards.

Residual High Risk

If, after safeguards, high risks remain that you cannot reasonably reduce, you face 'high residual risk'. This triggers prior consultation.

Prior Consultation (Art. 36)

Before starting such processing, the controller must consult the supervisory authority, providing the DPIA and other requested information.

Document Everything

Whether you do a DPIA or decide it is not needed, recording your assessment supports accountability and can be important in investigations.

DPOs: When to Appoint, Role and Independence

What Is a DPO?

A Data Protection Officer is an internal or external expert who helps ensure GDPR compliance, especially in organisations with high-risk or large-scale processing.

When a DPO Is Mandatory

A DPO is required for public authorities, for large-scale regular monitoring as a core activity, and for large-scale special or criminal data processing as a core activity.

Core Activities and Scale

Core activities are key operations needed to achieve the organisation's goals. 'Large scale' depends on the number of data subjects, data volume, duration and geography.

Key DPO Tasks

The DPO informs and advises, monitors compliance, advises on DPIAs, and is the main contact point for supervisory authorities and data subjects.

Independence and Protection

The DPO must act independently, report to top management, and must not be dismissed or penalised for doing DPO work.

Avoiding Conflicts of Interest

Roles that decide purposes and means of processing (for example, heads of HR, marketing, IT) should not be combined with the DPO role.

Controller–Processor Contracts and Processor Obligations

Why Contracts Matter

When controllers use processors, Art. 28 requires a binding contract that turns high-level GDPR duties into concrete, enforceable obligations.

Describe the Processing

The contract must define subject matter, duration, nature and purpose of processing, data types, data subjects, and controller obligations and rights.

Core Processor Duties in the Contract

Key clauses: process only on documented instructions, ensure confidentiality, apply security, control sub-processors, assist with rights and DPIAs, delete/return data.

Audit and Information

Processors must provide information needed to show compliance and allow or contribute to audits by the controller or its auditor.

Direct Processor Obligations

Processors also have their own GDPR duties: records of processing, security measures, prompt breach notice to controllers, and proper sub-processor management.

Example: Payroll SaaS

An employer (controller) uses a payroll SaaS (processor). Their Art. 28 contract covers purposes, data types, security, sub-processors, retention and audit rights.

Apply It: Who Is Who and What Must They Do?

Work through these short scenarios. For each, decide:

  1. Who is the controller? Who is the processor (if any)?
  2. Name one key accountability measure that clearly applies.

Write your answers in your notes before checking against the hints.

Scenario A: University and Exam Proctoring Tool

A university uses an online exam proctoring service that records students via webcam, tracks keystrokes and flags suspicious behaviour using automated analysis.

Questions:

  • Controller vs processor?
  • At least one accountability measure that must be in place.

Hints (reveal after thinking):

  • The university decides to use remote proctoring, for what purpose, and under which conditions. It is the controller.
  • The proctoring company processes data on behalf of the university, following its instructions. It is a processor.
  • Likely accountability measures: Article 28 controller–processor contract; DPIA (profiling, special categories may be involved, large-scale monitoring); privacy by design/default (for example, minimising data collected); records of processing; possibly DPO if large-scale monitoring is a core activity.

Scenario B: Social Media Plug-in on a News Site

A news website embeds a social media "Like" button that tracks visitors, even if they do not click it, to build profiles for targeted advertising.

Questions:

  • Who is controller for the tracking?
  • Name one accountability step.

Hints:

  • Case law has treated the website and the social media platform as joint controllers for the initial collection and transmission of data via the plug-in.
  • Accountability steps: joint controller arrangement (Art. 26) describing respective responsibilities; updated privacy notice explaining the joint processing; records of processing; possibly DPIA due to profiling and large-scale tracking.

Scenario C: Hospital and External Laboratory

A hospital sends patient samples to an external lab that performs tests and issues diagnostic reports following the hospital's requests.

Questions:

  • Controller vs processor?
  • One accountability measure.

Hints:

  • Often both the hospital and the lab are controllers of their respective processing, because each decides purposes and means for medical diagnosis. They are not always in a simple controller–processor relationship.
  • Accountability: each must keep records of processing; both must apply strong security and privacy by design; DPIAs are likely given large-scale health data; DPO is usually mandatory for a hospital.

Quick Check: DPIAs, DPOs and Contracts

Test your understanding with a focused multiple-choice question.

A rapidly growing ad-tech company tracks millions of users across websites using cookies and profiles them for targeted ads. This tracking is its core business. Which combination of measures is most clearly REQUIRED under the GDPR?

  1. A. Maintain a RoPA, conduct a DPIA, and appoint a DPO
  2. B. Only obtain consent from users; no other accountability measures are strictly required
  3. C. Appoint a DPO and notify the supervisory authority, but a DPIA is optional
  4. D. Conclude controller–processor contracts with users, who act as processors
Show Answer

Answer: A) A. Maintain a RoPA, conduct a DPIA, and appoint a DPO

The company is a controller engaged in large-scale, regular and systematic monitoring as a core activity, so a DPO is required (Art. 37). The processing is likely high risk, so a DPIA is mandatory (Art. 35). As a medium/large organisation with ongoing processing, it must keep records of processing (Art. 30). Users are not processors, so option D is incorrect. Consent (option B) is about lawfulness, not a substitute for accountability measures.

Key Term Review: Accountability Toolkit

Use these flashcards to reinforce the core concepts from this module.

Controller
The natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of personal data (Art. 4(7)).
Processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Art. 4(8)).
Accountability
The GDPR principle that controllers are responsible for compliance with the data protection principles and must be able to demonstrate that compliance (Art. 5(2), 24).
RoPA (Records of Processing Activities)
Documentation required under Art. 30 describing processing operations, purposes, data categories, recipients, transfers, retention and security measures.
Data Protection by Design and by Default
Art. 25 duty to integrate data protection into the design of processing and to ensure, by default, that only data necessary for each purpose are processed.
DPIA (Data Protection Impact Assessment)
A structured assessment required when processing is likely to result in a high risk to individuals, used to identify and mitigate those risks (Art. 35).
DPO (Data Protection Officer)
An independent expert appointed in certain cases to advise on and monitor GDPR compliance and act as a contact point with supervisory authorities (Art. 37–39).
Controller–Processor Contract
A binding agreement under Art. 28 that sets out the subject matter, duration, nature, purposes, data types, and detailed obligations of the processor.
Residual High Risk
The level of risk that remains after mitigation measures in a DPIA. If still high and unavoidable, it triggers prior consultation with the supervisory authority (Art. 36).
Joint Controllers
Two or more controllers that jointly determine the purposes and means of processing and must transparently allocate GDPR responsibilities between them (Art. 26).

Key Terms

Processor
An entity that processes personal data on behalf of a controller, under its instructions.
Controller
An entity that determines the purposes and means of processing personal data.
Accountability
The GDPR requirement that controllers are responsible for and must be able to demonstrate compliance with data protection principles.
Joint Controllers
Two or more controllers that jointly determine purposes and means of processing and must define their respective GDPR responsibilities in an arrangement.
Residual High Risk
The remaining risk to individuals after mitigation measures are applied in a DPIA; if still high, it requires prior consultation with a supervisory authority.
Data Protection by Design
Integrating privacy and data protection measures into the design and architecture of processing operations and systems.
Data Protection by Default
Ensuring that, by default, only personal data necessary for each specific purpose are processed.
DPO (Data Protection Officer)
An independent data protection expert with specific tasks and protections under the GDPR, mandatory in certain organisations.
Controller–Processor Contract
A contract required by Article 28 GDPR that governs processing carried out by a processor on behalf of a controller.
RoPA (Records of Processing Activities)
A structured record describing processing operations, purposes, data categories, recipients, transfers, retention and security, required by Article 30 GDPR.
DPIA (Data Protection Impact Assessment)
A risk assessment required when processing is likely to result in a high risk to individuals, used to identify and mitigate those risks before processing.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself