Recital 74

¹ The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. ² In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. ³ Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.