Obligations of Controllers

This position paper is also available for downloading in .pdf format.



The obligations to which controllers are subject must at all times be clear and as detailed as possible. This is one of the keys to good protection of personal data. Having controllers be subject to clear rules will clarify the responsibilities of controllers. Clear rules will also benefit supervisory authorities when investigating data protection breaches, especially where these rules ensure the availability of adequate documentation regarding the processing of personal data.


The rules on obligations of controllers under the proposed Directive differ from those under the proposed Regulation in several important aspects. The obligations imposed by the proposed Directive are far less detailed and less strict. Specific measures and procedures introduced in the proposed Regulation are missing in the proposed Directive. For instance, controllers under the Directive do not need to carry out data protection impact assessments or lay down obligations of processors in writing. The obligation to adhere to the principles of privacy by design and default is watered down, and the documentation requirements are far more limited than those laid down in the proposed Regulation. Additionally, controllers are subject to a lower level of regulatory control, and the controller-processor relationships are regulated in less detail and with fewer safeguards for individuals.

This is both alarming and surprising, given the fact that controllers under the scope of the proposed Directive – such as police authorities and public prosecutors – by their very nature deal with personal data that are sensitive and use them to take decisions that can seriously affect data subjects. Therefore the rules of the proposed Directive should rather be stricter than under the proposed Regulation.

Only in one case, controllers under the Directive face more fine-grained requirements: they are supposed to keep detailed records of their processing operations. A police database would for example have to log which data were combined for which purpose at which time. If possible, such a controller must also log which officer consulted which records. The table below lists the most important differences between the controller obligations listed in the Regulation versus those of the Directive.




Article 22 (1)

Article 18(1)

Under the Directive, controllers do not need to be able to “demonstrate” compliance with data protection rules.

Article 22 (2) (b)

Under the draft Directive, controllers are not obliged to conduct data protection impact assessments.

Article 22 (3)

Article 18 (3)

Article 18(3) of the draft Directive does not contain a reference to paragraph 2(which would add clarification).

Article 23 (2)

Article 19 (2)

While the Regulation obliges controllers to implement data protection by design both at the design stage and in the actual processing, the Directive does not make this distinction. The requirements for data protection by default are less specific: there are no references to maximum storage periods of data or their publication.

Article 26 (1)

Article 21 (1)

The Directive is less specific as regards technical measures to be implemented by processors.

Article 26 (2) (a) to (h)

Article 21 (2)

There is no list of specific requirements for the controller-processor relationship in the Directive.

Article 26 (3)

The requirement to lay down processor’s obligations in writing does not exist.

Article 28 (2)

Article 23 (2)

The scope of what needs to be documented is different: under the Regulation, such documentation has to be maintained for all “processing operations”, while under the Directive “processing systems and procedures” need to be documented. The list of items to include in the documentation is shorter as well:

  • no contact information for the data protection officer;
  • no description of categories of data subjects and the categories of personal data relating to them;
  • no documentation of safeguards for 3rd country transfers;
  • no mention of retention periods;
  • no description of accountability mechanisms.

Article 24

This Article obliges controllers to keep detailed logfiles on their systems, but only “as far as possible”, which is why it hardly qualifies as an obligation

Article 29 (1)

Article 25 (1)

The rules on cooperation with supervisory authorities are more vague, as their powers are described less clearly under the Directive.

Article 29 (2)

Article 29 (2)

In both cases, controllers need to reply to the supervisory authority within a “reasonable period”, however only under the Regulation this period is fixed by the supervisory authority.

Article 33

No rules on data protection impact assessments.


Simply put, we recommend that the controller obligations in the proposed Directive be brought in line with those in the proposed Regulation (and the amendments we proposed there). More specifically we suggest the following changes:

  • Article 18(1): include the requirement of being able to “demonstrate” compliance;
  • Article 19: align with the proposed Regulation and explain that both technical and organisational measures should be used to implement data protection by design and by default, add a reference to data protection impact assessments;
  • Article 21(2): include the list of requirements from Article 26(2) of the proposed Regulation;
  • Article 21(2a): add a new paragraph, equivalent to Article 26(3) of the proposed Regulation, requiring written documentation of controllers’ instructions and processors’ obligations.
  • Article 23(1): align with the documentation requirements in Article 28(2) of the proposed Regulation and include a requirement for a substantive explanation for 3rd country transfers based on appropriate safeguards or derogations;
  • Article 24: clarify that these records shall be made available to the supervisory authority on request;
  • Article 25: align with Article 29 of the proposed Regulation by specifying that the “reasonable period” is to be specified by the supervisory authority;
  • Article 26(1): require prior authorisation also in cases where measures based on profiling are to be carried out and when a data protection impact assessment has been carried out;
  • New Article 29a: introduce rules on data protection impact assessment, based on Article 33 of the proposed Regulation.
  • eu logo The launch and upkeep (until December 31, 2013) of this website received financial support from the EU's Fundamental Rights and Citizenship Programme.
%d bloggers like this: