Article 24 GDPR: Difference between revisions
Line 206: | Line 206: | ||
==== Taking into account... ==== | ==== Taking into account... ==== | ||
To decide which measures to implement, the controller must perform a comprehensive assessment of processing activities, analyze potential consequences and causes of harm, and consider the specific criteria and examples provided in the GDPR to effectively evaluate and mitigate risks associated with data processing. The provision lists several elements that the controller must take into account when assessing the risk. | To decide which measures to implement, the controller must perform a comprehensive assessment of processing activities, analyze potential consequences and causes of harm, and consider the specific criteria and examples provided in the GDPR to effectively evaluate and mitigate risks associated with data processing. The provision lists several elements that the controller must take into account when assessing the risk.<ref>Although GDPR prescribes that the controller must determine the risk, it does not prescribe procedural steps on how to perform this assessment. Hence, this assessment is left to the controller. In this regard, ''Martini'' points to Article 35(4) GDPR, which states that “''The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment''”, and notes that such a list can provide guidance to controllers since it shows which processing operations constitute a high risk. However, he also argues that “''informative content is limited to whether there is a high or normal risk and whether a data protection impact assessment is therefore indicated (Art. 35(1)) and the supervisory authority must be consulted (Art. 36(1)) before the controller takes concrete measures''”. Hence, such a list is merely an indication of risk and does not provide the controller with certainty as to which measures are suitable and effective in a specific case. See, ''Martini'', in Paal, Pauly, DS-GVO, Article 24, margin number 36-36b (C.H. Beck 2021, 3rd Edition). Moreover, the EDPB could also provide useful guidance. ''Lang'' notes that the Board ''may'' issue guidelines pursuant to Article 70(1)(e) GDPR, and that this applies in particular to the determination of risk that is related to processing (recital 77 GDPR). ''Lang'', in Taeger, Gabel, DSGVO BDSG, Article 24, margin number 62 (C.H. Beck 2022, 4th Edition).</ref> | ||
===== Nature, scope, context and purposes ===== | ===== Nature, scope, context and purposes ===== | ||
Line 213: | Line 213: | ||
===== Risks of varying likelihood and severity for rights and freedoms of natural persons ===== | ===== Risks of varying likelihood and severity for rights and freedoms of natural persons ===== | ||
Second, the controller must assess the severity of the risks for the rights and freedoms of natural persons, as well as the likelihood that these materialise. This obligation to consider the likelihood of the materialisation expands on Article 17 of the Data Protection Directive (DPD), which merely mentioned the consideration of risks.<ref>''Docksey'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 24 GDPR, p. 564 (Oxford University Press 2020).</ref> Recital 75 gives useful guidance to determine what this risk actually entails. Besides clarifying that the damage can be physical, material, or immaterial, it lists a range of examples of damages, such as discrimination, identity theft or fraud. However, it also mentions "''loss of confidentiality of personal data protected by professional secrecy''". Moreover, it is important to note that, although this is not mentioned in the provision, it follows from Article 52(1) of the Charter of Fundamental Rights that the principle of proportionality plays an important role in determining whether a measure is appropriate. Thus, the cost-effectiveness of a measure can play an important part in the assessment. For instance, processing that involves the publication of data can be considered risky. The scale of processing, particularly when it involves large volumes of personal data or profiling, can introduce specific risks if those data are interconnected with other available somewhere else, and even if individual data points seem insignificant. Special circumstances may arise when processing sensitive data, retaining data for extended periods, or transferring data to different contexts. Risky purposes are often associated with social dependency relationships and processing linked to fundamental rights, among other factors.<ref>''Petri'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 24 GDPR, margin number 12 (C.H. Beck 2019).</ref> Additionally, there may be causes of further harm resulting from subsequent data processing that extend beyond the infringement of personal rights. These causes can contribute to increased risks, although they may not be specifically defined. Examples include limitations on data subject rights not provided by law, processing of sensitive data as defined in Articles 9 and 10, creation of individual profiles, recording of individuals requiring special protection (e.g., children), or unique processing activities. These factors can be utilized to influence decisions, engage in discriminatory practices, differentiate treatment, or deny access to services. High-risk processing operations are further detailed in Recitals 89 and 91, particularly highlighting the use of new technologies.<ref>''Petri'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 24 GDPR, margin number 13-14 (C.H. Beck 2019).</ref> | Second, the controller must assess the severity of the risks for the rights and freedoms of natural persons, as well as the likelihood that these materialise. This obligation to consider the likelihood of the materialisation expands on Article 17 of the Data Protection Directive (DPD), which merely mentioned the consideration of risks.<ref>''Docksey'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 24 GDPR, p. 564 (Oxford University Press 2020).</ref> Recital 75 gives useful guidance to determine what this risk actually entails. Besides clarifying that the damage can be physical, material, or immaterial, it lists a range of examples of damages, such as discrimination, identity theft or fraud. However, it also mentions "''loss of confidentiality of personal data protected by professional secrecy''". Moreover, it is important to note that, although this is not mentioned in the provision, it follows from Article 52(1) of the Charter of Fundamental Rights that the principle of proportionality plays an important role in determining whether a measure is appropriate. Thus, the cost-effectiveness of a measure can play an important part in the assessment. For instance, processing that involves the publication of data can be considered risky. The scale of processing, particularly when it involves large volumes of personal data or profiling, can introduce specific risks if those data are interconnected with other available somewhere else, and even if individual data points seem insignificant. Special circumstances may arise when processing sensitive data, retaining data for extended periods, or transferring data to different contexts. Risky purposes are often associated with social dependency relationships and processing linked to fundamental rights, among other factors.<ref>''Petri'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 24 GDPR, margin number 12 (C.H. Beck 2019).</ref> Additionally, there may be causes of further harm resulting from subsequent data processing that extend beyond the infringement of personal rights. These causes can contribute to increased risks, although they may not be specifically defined. Examples include limitations on data subject rights not provided by law, processing of sensitive data as defined in Articles 9 and 10, creation of individual profiles, recording of individuals requiring special protection (e.g., children), or unique processing activities. These factors can be utilized to influence decisions, engage in discriminatory practices, differentiate treatment, or deny access to services. High-risk processing operations are further detailed in Recitals 89 and 91, particularly highlighting the use of new technologies.<ref>''Petri'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 24 GDPR, margin number 13-14 (C.H. Beck 2019).</ref> | ||
==== Shall implement appropriate measures to ensure GDPR compliance ==== | ==== Shall implement appropriate measures to ensure GDPR compliance ==== |
Revision as of 07:57, 23 May 2023
Legal Text
1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.
Relevant Recitals
Commentary
This provision opens Section 1 of Chapter IV, which is dedicated to the “General obligations” of the controller and processor. It provides an overview of the controller’s responsibilities as the first addressee for GDPR compliance. The actual obligations that follow from this position are described more specifically in other provisions, such as Article 25 GDPR or Article 32 GDPR.[1] Article 24 GDPR is the only provision in this section which precludes the imposition of fines under Article 83(4)(a) or Article 83(5) GDPR.[2] As Hartung notes, this supports the view that it is intended as a general provision that provides an overview of the controller’s responsibilities.[3] By imposing "accountability" on the controller, the provision assigns a ‘proactive’ role to the controller.[4] Hence, the controller’s processing operations must be known (“taking into account”), controlled (through “appropriate technical and organisational measures”) and regularly reviewed (“updated where necessary”), so that the controller can “ensure” compliance with the Regulation.
EDPB Guidelines: For this Article there are the Guidelines 07/2020 on the concepts of controller and processor in the GDPR
(1) Appropriate technical and organisational measures
The controller must implement effective technical and organisational measures to ensure compliance with the entire GDPR, including data protection principles (Article 5 GDPR), data subject rights (amongst others, Articles 12 to 22 GDPR) and controllers’ obligations.
The controller
The regulation addresses the controller. Other entities, such as data processors, are not mentioned in Article 24 and their responsibility is usually limited to specific aspects regulated separately. However, this limited responsibility does not affect the overall accountability and liability of the controller in external relationships which remains separate, regardless of whether decision-making authority over the purposes and methods of processing is equally or unequally distributed.[5]
Taking into account...
To decide which measures to implement, the controller must perform a comprehensive assessment of processing activities, analyze potential consequences and causes of harm, and consider the specific criteria and examples provided in the GDPR to effectively evaluate and mitigate risks associated with data processing. The provision lists several elements that the controller must take into account when assessing the risk.[6]
Nature, scope, context and purposes
First, it must consider the nature of the processing (manual or automated), the scope of the processing (amount of data subjects affected, amount of data collected, bulk or individual processing, sensitivity of the data), the context of the processing (how many parties are involved, which systems are used, etc.), and the purposes of the processing.[7]
Risks of varying likelihood and severity for rights and freedoms of natural persons
Second, the controller must assess the severity of the risks for the rights and freedoms of natural persons, as well as the likelihood that these materialise. This obligation to consider the likelihood of the materialisation expands on Article 17 of the Data Protection Directive (DPD), which merely mentioned the consideration of risks.[8] Recital 75 gives useful guidance to determine what this risk actually entails. Besides clarifying that the damage can be physical, material, or immaterial, it lists a range of examples of damages, such as discrimination, identity theft or fraud. However, it also mentions "loss of confidentiality of personal data protected by professional secrecy". Moreover, it is important to note that, although this is not mentioned in the provision, it follows from Article 52(1) of the Charter of Fundamental Rights that the principle of proportionality plays an important role in determining whether a measure is appropriate. Thus, the cost-effectiveness of a measure can play an important part in the assessment. For instance, processing that involves the publication of data can be considered risky. The scale of processing, particularly when it involves large volumes of personal data or profiling, can introduce specific risks if those data are interconnected with other available somewhere else, and even if individual data points seem insignificant. Special circumstances may arise when processing sensitive data, retaining data for extended periods, or transferring data to different contexts. Risky purposes are often associated with social dependency relationships and processing linked to fundamental rights, among other factors.[9] Additionally, there may be causes of further harm resulting from subsequent data processing that extend beyond the infringement of personal rights. These causes can contribute to increased risks, although they may not be specifically defined. Examples include limitations on data subject rights not provided by law, processing of sensitive data as defined in Articles 9 and 10, creation of individual profiles, recording of individuals requiring special protection (e.g., children), or unique processing activities. These factors can be utilized to influence decisions, engage in discriminatory practices, differentiate treatment, or deny access to services. High-risk processing operations are further detailed in Recitals 89 and 91, particularly highlighting the use of new technologies.[10]
Shall implement appropriate measures to ensure GDPR compliance
The term "measure" must be understood broadly since it refers to all actions that are appropriate to make the processing compliant with the GDPR. As the provision explains, this can be done through technical and organisational means. However, the GDPR does not define what is a technical measure, it merely gives examples,[11] such as securing the access (password protection) or transfer (encryption). Of course, these technical measures would be ineffective if no organisational measures that secure compliance with them are implemented (e.g. data audits, activity logs, internal training of employees by the DPO).[12] Other examples of "measures" are given in Recital 78, which lists pseudonymisation, data minimisation, and "transparency with regard to the functions and processing of personal data". In practice, the distinction between technical and organisational measures is not always clear as these can overlap. However, as Hartung observes, this is not really a problem because the GDPR does not differentiate between the two in terms of legal requirements.[13]
And to demonstrate GDPR compliance
Controllers not only have to ensure compliance, but have to demonstrate it through evidence. The comprehensiveness of this evidence must be proportionate to the risk posed by the processing operation. The more risky a processing operation, the more comprehensive the accompanying evidence must be.[14] Conversely, where the risk is lower a witness statement rather than physical documentation might be sufficient. Like other elements of the provision, this requirement is elaborated on in other GDPR articles (e.g. maintaining a record of processing activities under Article 30(1) GDPR; documenting personal data breaches under Article 33(5) GDPR). Whether the controller’s obligation to demonstrate compliance, also implies a reversal of the burden of proof when a data subject seeks compensation for damages pursuant to Article 82, is uncertain. Some authors, such as Bergt and Quaas, argue in favour of this point of view,[15] as does the Regional Labor Court of Baden-Württemberg.[16] Others, however, disagree with this interpretation. According to Martini, the controller’s obligation to demonstrate compliance does not necessarily imply that the burden of proof lies with it where a claim is brought under civil law. If a data subject asserts a claim for damages under Article 82 GDPR, it is still up to them to prove the violation of data protection law, damage, and causality.[17]
Measures must be continuously reviewed and updated
The controller must continuously be able to demonstrate compliance by reviewing existing measures and updating them. This requirement is closely related to the controller's obligations laid down in Article 32(1)(d) GDPR. Beyond the qualifier "where necessary", it is not specified how frequently updates must be carried out. Again, it is the controller’s responsibility to ensure that their processing operations are currently compliant.[18]
(2) Data protection policies
Although Hartung claims that this paragraph is obscure,[19] Martini argues it simply expands on Article 24(1) GDPR by specifying the conditions under which the technical and organisational measures must also include data protection measures. These policies are thus not merely legal requirements, but concrete procedural instructions a controller or its staff should follow to avoid violations of the GDPR. The instructions are linked to Article 39(1)(b) GDPR, which states that the DPO’s duty to monitor compliance with the data protection policies. The principle of proportionality ("Where proportionate") plays an important role in this case. A large company carrying out many different processing operations should have more comprehensive and specific policies than a small company with few processing operations.[20]
Example: XXX
(3) Self-regulation measures as evidence of compliance
Article 24(3) provides the controller with more certainty regarding the question whether it is sufficiently able to demonstrate compliance with its obligations. The controller can show that it adhered to (i) approved codes of conduct (Article 40 GDPR), (ii) approved certification mechanisms (Article 42 GDPR), or (iii) guidelines by the EDPB and advice by the data protection officer (Recital 77 GDPR). Nevertheless, it follows from the word "element" that such self-regulation measures only support the assumption that the controller is compliant, but does not prove it.[21]
Decisions
→ You can find all related decisions in Category:Article 24 GDPR
References
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 11 (C.H. Beck 2020, 3rd Edition).
- ↑ However, this does not mean that the provision is merely declaratory: it also establishes directly applicable obligations. Plath, in Plath DSGVO BDSG, Article 24 GDPR, margin number 2 (Ottoschmidt 2018, 3rd Edition).
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 24 (C.H. Beck 2020, 3rd Edition).
- ↑ Docksey, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 24 GDPR, p. 557 (Oxford University Press 2020).
- ↑ Petri, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 24 GDPR, margin number 9 (C.H. Beck 2019).
- ↑ Although GDPR prescribes that the controller must determine the risk, it does not prescribe procedural steps on how to perform this assessment. Hence, this assessment is left to the controller. In this regard, Martini points to Article 35(4) GDPR, which states that “The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment”, and notes that such a list can provide guidance to controllers since it shows which processing operations constitute a high risk. However, he also argues that “informative content is limited to whether there is a high or normal risk and whether a data protection impact assessment is therefore indicated (Art. 35(1)) and the supervisory authority must be consulted (Art. 36(1)) before the controller takes concrete measures”. Hence, such a list is merely an indication of risk and does not provide the controller with certainty as to which measures are suitable and effective in a specific case. See, Martini, in Paal, Pauly, DS-GVO, Article 24, margin number 36-36b (C.H. Beck 2021, 3rd Edition). Moreover, the EDPB could also provide useful guidance. Lang notes that the Board may issue guidelines pursuant to Article 70(1)(e) GDPR, and that this applies in particular to the determination of risk that is related to processing (recital 77 GDPR). Lang, in Taeger, Gabel, DSGVO BDSG, Article 24, margin number 62 (C.H. Beck 2022, 4th Edition).
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 14 (C.H. Beck 2020, 3rd Edition).
- ↑ Docksey, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 24 GDPR, p. 564 (Oxford University Press 2020).
- ↑ Petri, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 24 GDPR, margin number 12 (C.H. Beck 2019).
- ↑ Petri, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 24 GDPR, margin number 13-14 (C.H. Beck 2019).
- ↑ Lang, in Taeger, Gabel, DSGVO BDSG, Article 24, margin numbers 23-24 (C.H. Beck 2022, 4th Edition).
- ↑ Martini, in Paal, Pauly, DS-GVO, Article 24, margin numbers 21-22 (C.H. Beck 2021, 3rd Edition).
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 17 (C.H. Beck 2020, 3rd Edition).
- ↑ Martini, in Paal, Pauly, DS-GVO, Article 24, margin number 25a (C.H. Beck 2021, 3rd Edition).
- ↑ For example, Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin numbers 46, 48 (C.H. Beck 2020, 3rd Edition); Quaas, in: Wolff, Brink, BeckOK Datenschutzrecht, Article 82 GDPR, margin number 16 (C.H. Beck 2021, 39th Edition).
- ↑ LAG Baden-Württemberg, 25 February 2021, 17 Sa 37/20, margin number 61 (available here).
- ↑ Martini, in Paal, Pauly, DS-GVO, Article 24, margin number 25a (C.H. Beck 2021, 3rd Edition). See also Moos, Schefzig, in Taeger, Gabel, DSGVO BDSG, Article 24, margin number 62 (C.H. Beck 2022, 4th Edition).
- ↑ Martini, in Paal, Pauly, DS-GVO, Article 24, margin numbers 37a-38 (C.H. Beck 2021, 3rd Edition).
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 21 (C.H. Beck 2020, 3rd Edition).
- ↑ Martini, in Paal, Pauly, DS-GVO, Article 24, margin numbers 39-42 (C.H. Beck 2021, 3rd Edition).
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 23 (C.H. Beck 2020, 3rd Edition).