Skip main navigation

An overview of a controller’s obligations

Under the GDPR, data controllers have many legal obligations to protect data subjects and their rights. Watch Melania Tudorica explain more.

Controllers control data processing and determine the purposes and means. With this comes duties and obligations.

To comply with obligations under the GDPR, Article 24 provides that controllers have to take appropriate organisational and technical measures to protect data subjects and their rights. They need to demonstrate that they have implemented such measures to ensure data protection by design (built in technical safeguards) and by default (processing only personal data which are necessary for a specific purpose).

Controllers’ obligations may include:

• To maintain records of all processing activities (Article 30 GDPR);

• To cooperate and consult with supervisory authorities (Article 31 GDPR);

• To ensure a level of security (Article 32 GDPR);

• To notify the supervisory authorities in the event of a data breach (Article 33 GDPR);

• To conduct a data protection impact assessment (Article 35 GDPR);

• To appoint a data protection officer (Article 37 GDPR);

• Specific obligations as regards transfer of data outside the EU (Chapter V GDPR);

• To assist data subjects with exercising their rights to privacy and data protection (Chapter III GDPR).

This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now