Obligations for the controller and the processor set out by the GDPR

Conducting of an impact assessment and prior consultation

Processing operations which are likely to pose high risks to the rights and freedoms of individuals should be subject to data protection impact assessment. The controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

When is a Data Protection Impact Assessment (DPIA) required?

A data protection impact assessment is required at least in the following  cases:

• a systematic and extensive evaluation of the personal aspects of an individual, including profiling,
• processing of sensitive data on a large scale,
• systematic monitoring of public areas on a large scale.

Prior consultation

The controller shall consult the supervisory authority if the impact assessment indicates that processing presents risks that cannot be mitigated

The role of the processor

The processor should assist the controller, where necessary and upon request, in ensuring compliance with the obligations deriving from the carrying out of data protection impact assessments and from prior consultation of the supervisory authority.