OBLIGATIONS OF DATA CONTROLLERS AND PROCESSORS

07 August, 2025
The Law on Personal Data Protection (LPDP) aims to ensure effective protection of personal data not only by guaranteeing individual rights, but also, by establishing clear responsibilities for controllers and processors.
Who are controllers and processors?
A controller is the entity that determines the purposes and means of processing personal data. A processor is any party that processes data on behalf of the controller, based on the instructions and agreements made with the controller. When two or more entities jointly determine the purposes and means of processing, they are considered joint controllers and share legal responsibility.
Every public institution or private entity that collects, stores, or processes personal data has legal obligations to fulfill at every stage of the processing cycle. These obligations are essential for building trust, preventing abuse, and avoiding sanctions from supervisory authorities.
Maintaining records of processing activities
Under Article 39 of the LPDP, both controllers and processors are required to maintain written records of their data processing activities. These records must contain key information such as:
- the name and contact details of the controller and, where applicable, the controller’s representative, the data protection officer, or joint controller;
- the purposes of the processing;
- a description of the categories of data subjects and personal data;
- the categories of recipients to whom the data have been or will be disclosed;
- information on the transfer of personal data to a third country or international organization;
- the envisaged time limits for erasure of the data;
- a description of the technical and security measures.
This documentation must be made available to the data protection authorities upon request and is a key element in demonstrating compliance with the LPDP.
Although organizations with fewer than 250 employees may be exempt from this obligation in limited circumstances, such as when processing is occasional, does not involve sensitive data, and poses no significant risk to data subjects, this exemption is rarely applicable in practice. Most businesses regularly process personal data (e.g., payroll, websites, customer databases), making record-keeping essential. Authorities are expected to focus on this documentation during inspections.
Failure to maintain or submit these records may result in fines of up to €40,000, as provided in Article 92 of the LPDP.
Notifying the Agency of a personal data breach
In the event of a personal data breach, the data controller is obliged to notify the Information and Privacy Agency without undue delay and, where possible, no later than 72 hours after becoming aware of the breach. This obligation may be waived only if the breach is unlikely to pose a risk to the rights and freedoms of individuals.
If the notification is made after 72 hours, the controller must explain the delay. Processors, on the other hand, must inform the controller immediately after discovering the breach.
The notification to the Agency must include a description of the breach (including, where possible, the categories and approximate number of affected data subjects and personal data), the contact details of the data protection officer or other relevant person for more information, the possible consequences of the breach, and the measures taken or planned to address the breach and mitigate its consequences. If it is not possible to provide all this information immediately, it may be submitted in phases, without undue further delay.
Additionally, the controller is required to document every personal data breach, including the facts related to the incident, its impact, and the corrective measures taken. This documentation is essential for demonstrating compliance with the law and enables the supervisory authority to verify whether the controller has fulfilled its legal obligations.
Cooperation with the Information and Privacy Agency
The controller and processor, and where applicable their representatives, must cooperate with the Agency upon request in the performance of its tasks.
Data Protection Impact Assessment
When data processing is likely to result in a high risk to the rights and freedoms of individuals, the controller must carry out and document a Data Protection Impact Assessment (DPIA) before the processing begins.
This assessment is mandatory in cases such as profiling, automated decisions with legal consequences, large-scale processing of sensitive data, the use of new technologies, or international data transfers.
If several of these conditions are met simultaneously, the assessment is mandatory. In cases of uncertainty, it is always recommended to conduct the assessment.
Security of processing
Taking into account the current state of technology, the cost of implementation, the nature, scope, context, and purposes of processing, as well as the risk that may vary in likelihood and severity for the rights and freedoms of individuals, the controller and the processor must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
These measures may include, among others:
- pseudonymization and encryption of personal data;
- the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.
In this process, the risk of destruction, loss, alteration, unauthorized access, or disclosure of personal data must be considered.
The use of approved codes of conduct or certification mechanisms can help demonstrate compliance with these requirements.
Furthermore, any person acting under the authority of the controller or processor and having access to personal data must act only on instructions and for the intended purposes, unless required otherwise by law.
Agreement between the controller and processor
The processor may process data only based on clear and written instructions from the controller, as defined in a contractual agreement. This agreement outlines the obligations, purposes, and security measures the processor must implement during the data processing.
Conclusion
The obligations of data controllers and processors form the foundation of a functional and trustworthy personal data protection system. Fulfilling these responsibilities not only ensures legal compliance but also, strengthens the trust of individuals and business partners.
In the next article, we will focus on the role and responsibilities of the Data Protection Officer, as a key figure in ensuring compliance with the Law on Personal Data Protection and providing practical support in implementing legal requirements.
Author: Valmir Haziraj