1.A controller shall ensure that all processing operations involving personal data that are performed within its area of responsibility comply with the provisions of Regulation (EU) 2018/1725 and any other Union data protection provisions applicable to the ECB.
2.A controller shall ensure that the DPO is informed, without undue delay, of the following:
(a)any issue that has, or might have, data protection implications;
(b)any opinion, document, internal policy or internal decision that may impact on the ECB’s data protection compliance, before adoption;
(c)any personal data breach or other incident concerning data protection;
(d)any direct interaction of a controller with the EDPS.
3.A controller, shall, in particular:
(a)consult the DPO in a timely manner on any activities related to the processing of personal data or any other data protection issues;
(b)conduct and approve data protection impact assessments in cooperation with the DPO and pursuant to Article 39 of Regulation (EU) 2018/1725;
(c)comply with any relevant internal policies related to the processing of personal data or any other data protection issues;
(d)maintain, in cooperation with the data protection coordinators, regularly updated records of processing activities in accordance with Article 31(5) of Regulation (EU) 2018/1725, using the template approved by the DPO.
4.When assisting the DPO and the EDPS in performing their duties, a controller shall provide full information to them, grant access to personal data and respond to questions within 20 working days of receiving a request.