Open GDPR Wiki

Disclaimer: The information contained within this portal does in no way constitute legal advice. Any person who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required.

GDPR Roles

Controller vs. Processor [edit]

According to article 4 of the EU GDPR, different roles are identified as indicated below:

  • Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
  • Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

So, the organizations that determine the means of processing personal data are controllers, regardless of whether they directly collect the data from data subjects. For example, a bank (controller) collects the data of its clients when they open an account, but it is another organization (processor) that stores, digitizes, and catalogs all the information produced on paper by the bank. These companies can be datacenters or document management companies. Both organizations (controller and processor) are responsible for handling the personal data of these customers.


Data Protection Officer [edit]


  1. The data protection officer shall have at least the following tasks:
    • to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
    • to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
    • to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
    • to cooperate with the supervisory authority;
    • to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
  2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
A DPO must:
  • Act “independently”
  • Not take instructions from their employer
  • Have expert knowledge of data protection law
  • Be provided with sufficient resources
  • Not be dismissed merely for performing their tasks
  • Report directly to the “highest management level”


Who needs a DPO?

The current view is that your organisation needs a DPO or access to the advises of a DPO unless you can show that it does not.

The Regulation provides that the following organisations shall appoint a DPO:-

  1. A public authority or body processing personal data, except for courts acting in their judicial capacity.


  1. Where an organisation’s core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.

This category includes social media companies, loyalty brand companies, online retail companies, and search engines companies.

  1. Where an organisation’s core activities consist of processing on a large scale of special categories of data (sensitive personal data) and personal data relating to criminal convictions and offences.

This category includes healthcare providers, insurers, and government departments who handle such data.


Who to appoint?


In-house or external consultant?

Organisations can appoint an in-house DPO, on a full time, part time or dual role basis. This appointment is always on the condition that the DPO’s tasks and duties do not conflict with another role being filled by that person.

As with any recruitment, the downside to an in-house DPO, is that if the employee leaves, your organisation will have to rehire and/or possibly retrain another member of staff. The alternative is to engage a consultant on a needs basis. This is likely to be most suitable for small to medium sized businesses whose needs are best served by having access to an external consultant as required.

DPO Decision Tree [edit]

(3) Personal Data


GDPR Education