Data controller: explanation of the figure and duties

Data Controller

According to what the new Data Protection European Regulation ( GDPR ) states, the data controller – described in article 4 – is:

“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”

Using simple words, the data controller represents the person who decides, independently or not, regarding the purposes and means of personal data processing.

Data Controller & Data Processor

There is one element that can create confusion regarding this subject. It is related to the simultaneous presence – included in the regulation – of the Data Processor. However, the data processor is not a mandatory figure. Article 4 describes this figure as follows:

“a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”


Data Controller: the duties

According to the regulation, a data controller has several duties. However, these duties do not include data management per se, but:

  • As previously said, determine the purposes and means of the processing;
  • Not to be considered as a duty but as a responsibility: he, as a matter of fact, is legally responsible for the regulation compliance;
  • Must notify to the supervisory authority;
  • Needs to ensure the respect of the right of the data subjects, implementing the adequate – technical and organizational – measures;
  • Has the responsibility for the implementation of the right measures to avoid the loss, modification, distruction,… of data;
  • Together with the data processor, they need to ensure an adequate risk level;
  • If necessary, he must keep the records of processing activities .

Swascan: GDPR approach

In order to help companies during their compliance process, Swascan developed a unique tool. Swascan GDPR Self-Assessment allows companies to test their compliance level (in addition to the overall compliance index, there is a specific index for each GDPR thematic area). In addition, Swascan platform provides a concrete action plan with the actions to implement in order to meet the GDPR requirements. Clicking on the button below, there is the chance of starting a free trial of the GDPR Self-Assessment:


Following a fac simile of the final report:


In order to assure to your business the best tool available, Swascan together with Raoul Chiesa ( Raoul Chiesa interview ) developed a special cybersecurity platform. It is completely in Cloud, Pay per Use and SaaS. You can see for yourself in our brochure: Cybersecurity platform and have an in-depth look at our services. Our four services cover all the governance needs in terms of risk management and periodic assessment. Basically, the right tools to understand your focus areas are Vulnerability Assessment, Network Scan, Code Review and GDPR Assessment. Last but not least, don’t forget GDPR: our platform is 100% GDPR compliant ( GDPR infographic ) and to provide a full documentation here you can find some information about the new figure introduced by this law: DPO .

CyberSecurity trends: what is going to happen in 2018?
Data processing: introduction and explanation

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.