What is a Data Controller under GDPR?

A data controller determines the purposes and means of processing personal data. They decide why and how personal data gets used and bear primary responsibility for GDPR compliance.

How quickly must a data breach be reported under GDPR?

Personal data breaches must be reported to the supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 GDPR.

When is a DPIA required?

A Data Protection Impact Assessment is required when processing is likely to result in a high risk to individuals, including profiling, large-scale monitoring, and processing of special category data (Article 35 GDPR).

GDPR

General Data Protection Regulation

The regulation that made cookie banners everyone's least favourite popup

The General Data Protection Regulation (GDPR) is the EU's landmark privacy law, governing how personal data is collected, processed, and protected. Since May 2018, it has been the gold standard for data protection worldwide — and the reason your inbox was flooded with 'We've updated our privacy policy' emails.

Scope

Any organisation that processes personal data of individuals in the EU/EEA — regardless of where the organisation is based. Yes, that means you too, Silicon Valley.

Geographic reach

EU/EEA + any organisation worldwide that offers goods or services to, or monitors the behaviour of, individuals in the EU.

In effect since

25 May 2018

Purpose

To give individuals control over their personal data and to simplify the regulatory environment for international business. Fun fact: the regulation is 88 pages long, contains 99 articles, and has generated approximately 4.2 billion cookie consent popups (unofficial estimate).

Jump to your role:

Data Controller

You determine the purposes and means of processing personal data. In plain English: you decide why and how personal data gets used. If you're the one who said 'let's collect email addresses for our newsletter', congratulations — you're a controller.

Your obligations

Establish a lawful basis for every processing activity (Art. 6) — 'because we can' is not one of them
Maintain a Record of Processing Activities (RoPA) that documents what you process and why (Art. 30)
Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing — like profiling or large-scale monitoring (Art. 35)
Report personal data breaches to your supervisory authority within 72 hours (Art. 33) — weekends and holidays included
Ensure data subjects can exercise their rights: access, rectification, erasure ('right to be forgotten'), portability, and objection (Art. 15–22)
Implement appropriate technical and organisational measures to ensure data security (Art. 32) — a Post-it note with the database password does not qualify
Appoint a Data Protection Officer (DPO) if required (Art. 37)
Only engage processors that provide sufficient guarantees — and formalise this in a Data Processing Agreement (Art. 28)

Key articles

Art. 5 — PrinciplesArt. 6 — Lawful basisArt. 13–14 — Information dutiesArt. 28 — Processor agreementsArt. 30 — Records of processingArt. 32 — Security measuresArt. 33–34 — Breach notificationArt. 35 — DPIA

Pro tip

Start with your RoPA. If you don't know what data you process, you can't protect it. Think of it as a map — you wouldn't navigate a city without one (unless you enjoy being lost).

Data Processor

You process personal data on behalf of a controller. Think: cloud hosting provider, payroll service, email marketing platform. You don't decide what to do with the data — you just do what the controller tells you. Like a very well-paid assistant with strict instructions.

Your obligations

Only process data according to the controller's documented instructions (Art. 28) — freelancing with personal data is not appreciated
Maintain your own Record of Processing Activities (Art. 30.2)
Implement appropriate security measures (Art. 32)
Notify the controller without undue delay if you discover a breach (Art. 33.2) — 'I was on holiday' is not undue delay
Assist the controller with DPIAs and data subject requests when asked (Art. 28.3)
Only engage sub-processors with the controller's prior authorisation (Art. 28.2)
Delete or return all personal data when the processing relationship ends (Art. 28.3g)

Key articles

Art. 28 — Processor obligationsArt. 29 — Processing under authorityArt. 30.2 — Processor recordsArt. 32 — SecurityArt. 33.2 — Breach notification to controller

Pro tip

Get your Data Processing Agreements in order before your biggest client asks for them. Having a template ready is the processor equivalent of always carrying an umbrella — you'll be glad you did.

Data Protection Officer (DPO)

You're the organisation's independent data protection expert. You advise, monitor compliance, and serve as the contact point for the supervisory authority. You report directly to the highest management level, and no one can tell you what to conclude. You're essentially the auditor of data protection — nobody's favourite person at parties, but everyone calls you when things go wrong.

Your obligations

Inform and advise the controller/processor on their GDPR obligations (Art. 39.1a)
Monitor compliance with GDPR and internal data protection policies (Art. 39.1b)
Advise on DPIAs and monitor their performance (Art. 39.1c)
Act as the contact point for the supervisory authority (Art. 39.1d–e)
Ensure your independence — you must not receive instructions regarding how to perform your tasks (Art. 38.3)
Maintain expert knowledge of data protection law and practices (Art. 37.5)
Be available for data subjects who want to raise concerns (Art. 38.4)

Key articles

Art. 37 — Designation of the DPOArt. 38 — Position of the DPOArt. 39 — Tasks of the DPO

Pro tip

Document your advice — especially when management decides not to follow it. Your future self will thank you when the supervisory authority comes knocking.

Data Subject

You're a living, breathing human being whose personal data is being processed. That's it — no certification required. If an organisation has your name, email, IP address, or even your cookie preferences, you're a data subject. Which means you have rights. Quite a few, actually.

Your obligations

You have the right to access your personal data and get a copy (Art. 15) — ask nicely, but you don't have to
You can request rectification of inaccurate data (Art. 16) — your name is not 'Valued Customer'
You can request erasure of your data — the famous 'right to be forgotten' (Art. 17)
You can restrict processing in certain situations (Art. 18)
You have the right to data portability — take your data and move it elsewhere (Art. 20)
You can object to processing, including profiling and direct marketing (Art. 21) — yes, you can unsubscribe
You have the right not to be subject to solely automated decision-making, including profiling (Art. 22)
You can lodge a complaint with a supervisory authority if your rights are violated (Art. 77)

Key articles

Art. 15 — Right of accessArt. 16 — RectificationArt. 17 — ErasureArt. 20 — Data portabilityArt. 21 — Right to objectArt. 22 — Automated decision-makingArt. 77 — Complaint to authority

Pro tip

When exercising your rights, be specific about what you want. A clear, written request (email is fine) gets faster results than a vague 'I want all my data'. Pro-pro tip: mention GDPR in the subject line — it tends to speed things up.

How Euregas can help

Available tools

Record of Processing Activities (RoPA) — document every processing activity with built-in templates
DPIA with risk matrix — assess and score risks across 7 dimensions
Incident management — track breaches with automated 72-hour deadline reminders
Data subject rights — manage access, erasure, and portability requests end-to-end
Consent management — track consent collection, withdrawal, and audit trails
Data mapping — visualise data flows across systems and third parties
Data Processing Agreements — manage processor relationships and sub-processors
Legal basis assessment — document and review lawful basis per processing activity
Transfer Impact Assessment (TIA) — evaluate international data transfers

AI-assisted features

Consultation wizard (gdpr_readiness) — 5-step guided assessment with AI analysis per step and article references
AI-generated compliance verdict: compliant / conditionally compliant / non-compliant
Semantic search across GDPR articles, EDPB guidelines, and case law

Note

All GDPR tools (RoPA, DPIA, incident management, etc.) are manual workflows with structured templates. AI assistance is available through the consultation wizard — it is not integrated directly into individual tools.

All examples are fictional and for illustrative purposes only.