Obligations of Controlling Services


obligations data privacy


As a controlling service, you must be sure that the processing of personal data that takes place under your responsibility is conform with OC 11.

In practice this means that:

  1. You must make sure that
    • the basic principles of data processing are observed
    • a valid lawful basis exist
    • an applicable exception is present in case you have to process sensitive personal data
  2. You document the processing in a Records of Processing Operations (RoPO), and that you publish the corresponding Privacy Notice on forms, web pages, etc. so that the data subjects can easily find this information.
  3. You carry out a Data Privacy Impact Assessment if applicable.
  4. You apply the Data Privacy by Design and by Default approach when you set up or review processing operations, and keep detailed records of the privacy considerations that have been taken into account in this context.
  5. You handle requests of individuals who requests to exercise their data subject rights.
  6. You take the necessary actions to notify data breaches, in collaboration with the ODP.