Who is responsible for ensuring compliance under GDPR?

The data controller holds primary responsibility for ensuring compliance with the General Data Protection Regulation (GDPR). This role involves determining the purposes and means of processing personal data. The data controller is obligated to implement measures and policies to ensure that all processing activities comply with GDPR's requirements, including ensuring that individuals' rights are respected and that data is processed lawfully, fairly, and transparently.

Additionally, while the data processor also has responsibilities under GDPR—particularly regarding how they handle the data on behalf of the controller—ultimate accountability lies with the data controller. The Data Protection Officer (DPO) serves as an advisor and can assist in compliance efforts, but does not carry sole responsibility for compliance. The data subject, referring to the individuals whose personal data is being processed, does not bear any compliance responsibilities; their role is primarily related to their rights under the regulation.