GDPR Data Controller or Data Processor

Answer:

Article 35 of the GDPR clearly states that "Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data."

So here it says where the responsibility lies.

Moreover, as processors we have no visibility on the processing activities carried out by the data controller, we cannot decide how to deal with data subject's rights, retention periods, etc. so we don't have enough information to perform a DPIA event if we wanted to.

Processors obligation under article 28(f) requires you to assist the controllers "in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor" so once again is clearly stated that the responsible ones for the DPIA are the controllers.

So it should be the controller that need to perform the DPIA and we will be providing based on their specific requests.

If you want to learn more about DPIAs check out his this free webinar Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR (https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/)

Thanks a lot Andrei