Who is responsible for doing the DPIA?
The controller of the processing is responsible for the DPIA being carried out.
This does not mean that the controller must necessarily carry out the assessment himself.
It is possible to delegate the actual assessment to another party, for example a processor or an external expert, but it is always the responsible party who is ultimately responsible for the assessment.
It is necessary to evaluate each time who is best suited to implement the DPIA, but this can depend on whether the proposed processing is in the special area of the processor rather than the controller.
Even if the controller decides to delegate the implementation of the DPIA to another party, this does not reduce the controller's own responsibility under data protection laws.
The responsible party must consult the data protection officer, if available to him/her, when the DPIA is implemented.
The recommendations from the data protection officer must be documented in the evaluation. The data protection officer is not responsible for the evaluation, however.
