Zum Hauptinhalt
Textseite

Basics

Abschlussbedingungen

"Our duties - these are the rights to us."
Friedrich Wilhelm Nietzsche


Now that we know our rights as data subjects, let's look at what obligations arise from our rights for the processors of personal data. We have already mentioned that the so-called "controller" is responsible for the implementation of data protection and compliance with the obligations.


Who is actually responsible? 

In English, there is the term "competence to decide". This refers to the person with the authority to make decisions. In companies, this is always the management in the final instance; in associations, it is the board of directors. They are liable for any damage caused by the unlawful processing of personal data.


Source: Gerd Altmann on Pixabay


Art. 4 GDPR - Definitions

controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; 


Further information: Recital 74 GDPR


What are the obligations of the person responsible? 

First and foremost, the controller must ensure that the data protection regulations are implemented in their own company and guarantee that the regulations are complied with. 

They must ensure that suitable technical and organisational measures are implemented to ensure the protection of personal data. When implementing these measures, the type, scope, circumstances and purposes of the processing as well as the various risks for the data subjects must be taken into account. In addition, the controller must be able to prove the implementation of all measures in case of doubt. 

This results in a number of requirements for the controller and the company or organisation, which we look at in detail on the following pages.


Please note

The data protection requirements depend heavily on how much data is processed and how critical it is. Some of the requirements that we present below are unlikely to apply to smaller organisations, while others must be implemented by every institution. 

Data protection always means teamwork, i.e. the person responsible is not left alone with their task, but is supported by specialised departments and possibly a data protection officer. If you are the person responsible, get these people round the table and work together on the requirements.