GDPR

Data Controller

Under GDPR Article 4(7), a data controller is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal data. The key distinguishing feature is decision-making power: if your organisation decides why data is being collected and how it is going to be used, you are the controller for that processing activity. Being a controller is not about physically holding data — a company that instructs a cloud provider to store customer records remains the controller even though the servers belong to someone else. Controllers bear the primary compliance burden under GDPR. They must identify and document a lawful basis for each processing purpose under Article 6 (and Article 9 for special category data), provide transparent information to individuals at the point of collection under Articles 13 and 14, maintain a Record of Processing Activities under Article 30, implement appropriate technical and organisational measures under Article 32, notify their supervisory authority of data breaches within 72 hours under Article 33, and respond to data subject requests within one month under Articles 15 to 22. Where they engage processors, controllers must enter into written Data Processing Agreements under Article 28 and restrict processor choices to those offering sufficient guarantees of compliance. Joint controllers — where two or more organisations jointly determine the purposes and means of processing — must enter into an arrangement under Article 26 that allocates GDPR responsibilities between them and designates a point of contact for data subjects. This is common in affiliate marketing, co-branding, and platform ecosystems. For an EU SME, being miscategorised as a processor when you are actually a controller is a serious compliance risk. Regulators look at substance over label: if a contract says you are a processor but your operational reality involves deciding how customer data is used, you will be treated as a controller. Administrative fines for controller violations can reach €20 million or 4% of global annual turnover, and supervisory authorities can prohibit processing entirely — a potentially business-ending outcome. See the GDPR compliance guide at eurocomply.app/regulations/gdpr

Data Processor

Under GDPR Article 4(8), a data processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. The hallmark of a processor is that it acts on instructions: it does not decide why personal data is processed or set the purposes — that authority belongs to the controller. A payroll bureau processing employee data for a company, a cloud provider storing a SaaS customer's database, and an email delivery platform sending marketing messages are all classic examples of processors. Processors have a narrower but still binding set of GDPR obligations. They may only process personal data on documented instructions from the controller, must ensure that anyone with access to personal data is bound by confidentiality, must implement appropriate technical and organisational measures under Article 32, must assist the controller in fulfilling data subject requests and breach notification obligations, must delete or return data at the end of the service relationship, and must make available all information necessary to demonstrate compliance. Under Article 28(2), processors may not engage a sub-processor without prior specific or general written authorisation from the controller, and must flow down equivalent obligations to any sub-processor they appoint. A written Data Processing Agreement (DPA) is mandatory under Article 28. The DPA must specify the subject matter, duration, nature, and purpose of the processing; the type of personal data and categories of data subjects; the obligations and rights of the controller; and the technical and organisational measures to be maintained. Absent a compliant DPA, both parties are exposed to regulatory action. For an EU SME acting as a processor — for example, providing SaaS software to business customers — you must be prepared to sign customer DPAs, maintain your own records of processing, manage sub-processor chains, and assist customers with breach response. Processors face direct regulatory liability for breaches of their specific Article 28 obligations and for acting outside or contrary to the controller's instructions, with fines reaching €10 million or 2% of global annual turnover. See the GDPR compliance guide at eurocomply.app/regulations/gdpr

DPA — Data Protection Authority

Each EU member state has a national Data Protection Authority — an independent public body responsible for monitoring and enforcing compliance with GDPR and related data protection legislation, advising the public and organisations, and cooperating with its counterparts across the EU. The GDPR refers to these bodies as supervisory authorities; DPA is the common shorthand used in practice. Well-known examples include the CNIL in France, the BfDI in Germany, the Datatilsynet in Denmark and Norway, the Garante in Italy, and the Data Protection Commission (DPC) in Ireland. The UK's Information Commissioner's Office (ICO) performs the same function but operates under UK GDPR following Brexit. For cross-border processing — where an organisation processes personal data of individuals in more than one EU member state — the one-stop-shop mechanism under Article 56 designates a single lead supervisory authority based on where the organisation has its main establishment (usually its EU headquarters or the place where decisions about processing are taken). Other concerned supervisory authorities in member states where individuals are affected can cooperate and object under Articles 60 and 65 if they disagree with the lead authority's draft decision. DPAs have significant investigative powers: they can conduct audits, demand access to premises and processing systems, compel production of documents, carry out data protection sweeps, and initiate own-initiative investigations based on complaints or media reports. Their corrective powers include issuing warnings and reprimands, ordering compliance, imposing temporary or permanent bans on processing, and imposing administrative fines. They can also order data to be erased, rectified, or not transferred to third countries. For an EU SME, your lead supervisory authority is the DPA in the member state where your EU establishment is located. If you have no EU establishment but target EU residents, the DPA of the member state in which you have a representative under Article 27 is your primary point of contact. Engaging proactively with your DPA — for example, seeking prior consultation under Article 36 before high-risk processing — is a legitimate risk management strategy and demonstrates the accountability the regulation requires. See the GDPR compliance guide at eurocomply.app/regulations/gdpr

DPO — Data Protection Officer

A Data Protection Officer is a designated individual or external service provider responsible for independently overseeing an organisation's data protection compliance. The DPO role was created by GDPR Article 37, which mandates appointment in three situations: where the processing is carried out by a public authority or body; where the core activities of the controller or processor consist of processing operations which, by virtue of their nature, scope, or purposes, require regular and systematic monitoring of data subjects on a large scale; or where the core activities consist of processing special category data or personal data relating to criminal convictions and offences on a large scale. Many organisations that are not strictly required to appoint a DPO do so voluntarily as a governance best practice. The DPO's tasks are set out in Article 39. They include informing and advising the organisation and its employees of their obligations under GDPR, monitoring compliance with the regulation and with the organisation's own data protection policies, advising on Data Protection Impact Assessments and monitoring their performance, cooperating with the supervisory authority, and acting as the contact point for the supervisory authority on processing issues including prior consultation under Article 36. Importantly, the DPO does not take personal liability for the organisation's GDPR compliance — responsibility remains with the controller or processor — but the DPO must be independent, report to the highest management level, and must not receive instructions regarding the exercise of their tasks. The DPO must be registered with the competent supervisory authority. The name and contact details must also be published and communicated to the authority under Article 37(7). A DPO can serve multiple organisations within a corporate group, provided they are accessible to all relevant data subjects and authorities. For an EU SME, the threshold question is whether you conduct large-scale systematic monitoring (a CCTV network covering a city, behavioural advertising, real-time location tracking) or large-scale special category processing (health data, biometrics, trade union membership). If either applies, appointing a DPO is not optional. Failure to appoint a required DPO is a violation subject to fines of up to €10 million or 2% of global annual turnover. See the GDPR compliance guide at eurocomply.app/regulations/gdpr