# DPC GDPR Controller Obligations > Other controller obligations for DPC checklist: processor/supplier agreements (Art. 28–29), DPO (37–39), DPIA (35). Tags: DPC, GDPR, Ireland, Compliance ## Example Prompts - Draft processor contract clauses for the DPC checklist - Document our DPO appointment and reporting lines - Establish and document our DPIA procedure for high-risk processing URL: https://rakenne.app/skills/dpc-gdpr-controller-obligations/index.md Try this skill: https://rakenne.app/a/?skill=dpc-gdpr-controller-obligations ## Overview Other controller obligations for DPC checklist: processor/supplier agreements (Art. 27–29), DPO (37–39), DPIA (35). ## Getting Started Add your source materials to the project workspace, then activate the *DPC GDPR Controller Obligations* skill. The agent will guide you through the process step by step. ## Example conversation **You:** We need to tighten our processor contracts and document our DPO decision. We also do some profiling—we might need a DPIA process. **Agent:** I'll work in three parts. (1) Processor agreements: I'll draft or checklist clauses for subject matter, security, sub-processors, assistance with breaches and DPIAs, data subject rights, and return/deletion (Art. 28–29). (2) DPO: I'll draft either the rationale for not appointing a DPO or the appointment, reporting lines, and published contact details (Art. 37–39). (3) DPIA: I'll draft a procedure for when a DPIA is required and what it must contain (Art. 35), and note high-risk triggers. All aligned to the DPC controller-obligations checklist. ## Output excerpt ### Processor agreement checklist (excerpt) - [ ] Subject matter, duration, nature and purpose of processing; data categories and data subjects. - [ ] Obligations of controller (instructions, lawfulness). - [ ] Confidentiality and security (Art. 32); sub-processors (prior authorisation, same obligations). - [ ] Assistance with data subject rights, DPIAs, breach notification; return or deletion of data. - [ ] Audits and inspections. **DPO** — We have documented that a DPO is not required (Art. 37): no public authority; no large-scale systematic monitoring; no large-scale special category/criminal data as core activity). [Alternative: DPO appointed: [Name]; reporting to [Board]; contact published at [URL].] **DPIA** — Procedure: trigger when processing is likely high risk (e.g. profiling with significant effects, large-scale special categories). DPIA must describe processing, necessity and proportionality, risks, and mitigation. Review before going live. ## Extension and validation This skill does not include custom validation tools. Elaboration is guided by the skill workflow and reference materials. You can add tools in `extension.ts` later (e.g. to check required sections or checklist coverage) if you want automated validation. --- Back to [Skill Library](https://rakenne.app/skills/index.md)