Article 24 GDPR: Difference between revisions
No edit summary |
m (→Legal Text) |
||
(8 intermediate revisions by 2 users not shown) | |||
Line 185: | Line 185: | ||
==Legal Text== | ==Legal Text== | ||
<center>'''Article 24 - Responsibility of the controller'''</center> | |||
<span id="1">1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.</span> | <span id="1">1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.</span> | ||
Line 197: | Line 197: | ||
==Commentary== | ==Commentary== | ||
This provision opens Section 1 of Chapter IV, which is dedicated to the “''General obligations''” of the controller and processor. | This provision opens Section 1 of Chapter IV, which is dedicated to the “''General obligations''” of the controller and processor. Article 24 stipulates the abstract obligation of the controller to ensure and demonstrate GDPR compliance and expands the accountability principle set out in [[Article 5 GDPR|Article 5(2) GDPR]]. Article 24 is therefore closely connected to the more specific obligations of the controller, such as [[Article 25 GDPR]] or [[Article 32 GDPR]].<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 11 (C.H. Beck 2024, 4th Edition).</ref> This article assigns a ''proactive role'' to the controller, who has to ensure compliance with the GDPR at all stages of processing.<ref>''Docksey'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 24 GDPR, p. 557 (Oxford University Press 2020).</ref> To achieve this goal, the controller uses technical and organisational measures that are ''appropriate to the risk'' connected to the processing (''risk based approach'').<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 11 (C.H. Beck 2024, 4th Edition).</ref> | ||
The controller is not only responsible for | The controller is not only responsible for actual compliance with the GDPR; it must also be able to ''demonstrate'' compliance. The controller can use codes of conduct or approved certification mechanisms as an element of such demonstration. | ||
Article 24 GDPR is the only | Article 24 GDPR is the only article in the section on the general obligations which cannot be directly penalised with a fine under [[Article 83 GDPR|Article 83(4)(a)]] or [[Article 83 GDPR|Article 83(5) GDPR]].<ref>However, this does not mean that the provision is merely declaratory: it also establishes directly applicable obligations. ''Plath,'' in Plath DSGVO BDSG, Article 24 GDPR, margin number 2 (Ottoschmidt 2018, 3rd Edition).</ref> <blockquote><u>EDPB and WP29 Guidelines:</u> For this Article there are the (i) EDPB, 'Guidelines 07/2020 on the concepts of controller and processor in the GDPR', 7 July 2021 (Version 2.1) (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en here]), (ii) WP29, 'Opinion 3/2010 on the principle of accountability', 00062/10/EN WP173, 13 July 2010 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp173_en.pdf here]), (iii) WP29, 'Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679' 17/EN WP248 rev.01, 4 April 2017 (available [https://ec.europa.eu/newsroom/article29/items/611236/en here]). </blockquote> | ||
===(1) | ===(1) Obligation to implement appropriate technical and organisational measures=== | ||
This provision obliges the controller to implement appropriate technical and organisational measures to ensure compliance of its processing activities with the GDPR. Therefore, this provision addresses the controller ( | This provision obliges the controller to implement appropriate technical and organisational measures to ensure compliance of its processing activities with the GDPR. Therefore, this provision addresses the controller ([[Article 4 GDPR|Article 4(7) GDPR]]) as the primary addressee for GDPR compliance. Other entities, such as data processors, are not subject of Article 24 and their responsibility is limited to specific aspects regulated separately. However, even a limited responsibility of a processor does not affect the overall accountability and liability of the controller.<ref>''Petri'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 24 GDPR, margin number 9 (C.H. Beck 2019).</ref> | ||
Article 24(1) goes beyond the mere compliance with the GDPR. The controller must also be able to ''demonstrate'' that the processing is performed in accordance with the GDPR. <blockquote> | Article 24(1) goes beyond the mere compliance with the GDPR. The controller must also be able to ''demonstrate'' that the processing is performed in accordance with the GDPR. <blockquote>{{Quote-example|It is not sufficient that a controller manages to answer to access requests in accordance with [[Article 12 GDPR]] and [[Article 15 GDPR]]. The controller must also be able to ''demonstrate'' that it implemented appropriate technical and organisational measures that ensure such compliance with the data subject's right to access.}}</blockquote>The technical and organisational measures implemented by the controller are subject to change and must be reviewed and updated regularly in order to ensure the appropriateness of those measures. | ||
It should be noted that the GDPR imposes the duty to implement appropriate technical and organisational measures and to perform a respective risk assessment in a number of its provisions (e.g. in Articles 24, [[Article 25 GDPR|25]], [[Article 32 GDPR|32]] and [[Article 35 GDPR|35]]). A controller usually performs one risk assessment for each processing activity taking into account all the requirements set out in the different provisions of the GDPR and implements then appropriate technical and organisational measures that best comply with all those provision. | |||
===== Nature, scope, context and purposes of the processing ===== | ====Taking into account... ==== | ||
To decide which specific technical and organisational measures to implement, the controller must perform a comprehensive assessment of processing activities and analyse potential consequences and causes of harm in order to effectively evaluate and mitigate risks associated with the data processing. | |||
=====Nature, scope, context and purposes of the processing===== | |||
The controller must consider the ''nature, scope, context and purposes'' of the processing.<ref>The attribution of the various conditions to these criteria is not practised consistently. </ref> | The controller must consider the ''nature, scope, context and purposes'' of the processing.<ref>The attribution of the various conditions to these criteria is not practised consistently. </ref> | ||
The ''nature'' of the processing refers in particular to the type or processing (e.g. collection, recording, storing, etc.) as well as to the categories of data processed (e.g. whether special categories of personal data are processed).<ref name=":0">''Pollirer,'' in Knyrim, DatKomm, Article 32 GDPR, margin numbers 23 (Manz 2022).</ref> | The ''nature'' of the processing refers in particular to the type or processing (e.g. collection, recording, storing, etc.) as well as to the categories of data processed (e.g. whether special categories of personal data are processed).<ref name=":0">''Pollirer,'' in Knyrim, DatKomm, Article 32 GDPR, margin numbers 23 (Manz 2022).</ref> | ||
The ''scope'' of the processing refers to the ''quantity'' of the data processing resulting from the amount of affected data subjects the amount of processed data, duration and geographical extend of the data processing.<ref>''Pollirer,'' in Knyrim, DatKomm, Article 32 GDPR, margin numbers 23 (Manz 2022).</ref> | The ''scope'' of the processing refers to the ''quantity'' of the data processing resulting from the amount of affected data subjects, the amount of processed data, the duration and the geographical extend of the data processing.<ref>''Pollirer,'' in Knyrim, DatKomm, Article 32 GDPR, margin numbers 23 (Manz 2022).</ref> | ||
The ''context'' of the processing refers to the specific circumstances such as the modalities and technical implementation, the type and method of data collection and the legal basis in accordance with Article 6 GDPR.<ref>''Pollirer,'' in Knyrim, DatKomm, Article 32 GDPR, margin numbers 23 (Manz 2022).</ref> | The ''context'' of the processing refers to the specific circumstances such as the modalities and technical implementation, the type and method of data collection and the legal basis in accordance with Article 6 GDPR.<ref>''Pollirer,'' in Knyrim, DatKomm, Article 32 GDPR, margin numbers 23 (Manz 2022).</ref> | ||
The controller also has to consider the ''purposes'' of the processing. See the commentary on [[Article 5 GDPR|Article 5(1)(b) GDPR]] for more details on the purpose. | The controller also has to consider the ''purposes'' of the processing. See the commentary on [[Article 5 GDPR|Article 5(1)(b) GDPR]] for more details on the purpose of a processing activity. | ||
===== Risks of varying likelihood and severity for rights and freedoms of natural persons ===== | =====Risks of varying likelihood and severity for rights and freedoms of natural persons===== | ||
Second, the controller must assess the severity of | Second, the controller must identify the risks associated with the respective processing activity and assess the severity of those risks for the rights and freedoms of natural persons, as well as the likelihood that these materialise. | ||
The likelihood is the statistical probability that a certain risk will materialise in the future. It should be noted that some risks are inherent to processing activities – the likelihood is therefore 100 %.<ref>''Hötzendorfer'', ''Kastelitz'', ''Tschohl'', in Knyrim, DatKomm, Article 24 GDPR, margin numbers 20 (Manz 2022).</ref> <blockquote> | The ''likelihood'' is the statistical probability that a certain risk will materialise in the future. It should be noted that some risks are inherent to processing activities – the likelihood is therefore 100 %.<ref>''Hötzendorfer'', ''Kastelitz'', ''Tschohl'', in Knyrim, DatKomm, Article 24 GDPR, margin numbers 20 (Manz 2022).</ref> <blockquote>{{Quote-example|A controller publishes certain personal data. The loss of confidentiality is a risk that certainly materialises in course of the processing activity.}}</blockquote>The ''severity'' of the risk is determined by the ''extent'' a potential damage would have to the rights and freedoms of a natural person as well as the nature of the damage.<ref>''Hötzendorfer'', ''Kastelitz'', ''Tschohl'', in Knyrim, DatKomm, Article 24 GDPR, margin numbers 21 (Manz 2022). </ref> Recital 75 clarifies that the damage can be physical, material, or immaterial and lists a range of examples of damages, such as discrimination, identity theft, fraud and loss of confidentiality or control. | ||
According to Recital 76 the likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. It also states that the risk should be evaluated on the basis of an ''objective assessment''. | According to Recital 76 the likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. It also states that the risk should be evaluated on the basis of an ''objective assessment''. | ||
Article 24 does not prescribe procedural steps on how to perform this assessment. Therefore, it is left to the controller to use a suitable method. However, regarding the methodology, reference can be made to the risk assessment in course of a | Article 24 does not prescribe procedural steps on how to perform this assessment. Therefore, it is left to the controller to use a suitable method. However, regarding the methodology, reference can be made to the risk assessment in the course of a ''data protection impact assessment'' in accordance with [[Article 35 GDPR]], which a controller has to carry out if a processing activity is likely to result in a high risk for the rights and freedoms of natural persons. | ||
==== Shall implement appropriate technical and organisational measures to ensure GDPR compliance ==== | ====Shall implement appropriate technical and organisational measures to ensure GDPR compliance==== | ||
===== Technical and organisational measures ===== | =====Technical and organisational measures===== | ||
The term "''measure''" must be understood broadly since it refers to all actions that are appropriate to make the processing compliant with the GDPR. As the provision explains, this can be done through technical and organisational means. | The term "''measure''" must be understood broadly since it refers to all actions that are appropriate to make the processing compliant with the GDPR. As the provision explains, this can be done through technical and organisational means. | ||
Technical measures have a direct effect on the operation of technical processing, while | ''Technical measures'' have a direct effect on the operation of technical processing, while ''organisational measures'' have an effect on the circumstances of processing.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 17 (C.H. Beck 2024, 4th Edition).</ref> | ||
Examples of a technical measure are pseudonymisation of personal data, encryption, access restrictions and password protection. The implementation of data protection policies, a yearly review of the processing activities and training of employees and management would be organisational measures. In practice, the distinction between technical and organisational measures is not always clear as these can overlap. However, this is unproblematic because the GDPR does not differentiate between the two in terms of legal requirements.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 17 (C.H. Beck 2024, 4th Edition).</ref><blockquote>{{Quote-example|A controller wants to enable its employees to work from home. In order to ensure GDPR compliance, he implements a number of technical and organisational measures, like providing a VPN connection to the company network (technical measure) and drafting a “work from home” policy which makes the use of the VPN connection mandatory (organisational measure). }}</blockquote> | |||
=====Appropriate measures to ensure GDPR compliance===== | |||
The controller has to implement technical and organisational measures that are ''appropriate'' for the respective processing activity and ''effective''.<ref>''Dumortier'', ''Gryffroy,'' in Spiecker gen. Döhmann, Papakonstantinou, Hornung, De Hert, General Data Protection Regulation, Article 24 marginal number 27 et seq (C.H.Beck 2023).</ref> Therefore, the controller does not have to implement every available technical and organisational measure but has to consider – taking into account the specific processing activity and the underlying risks – which measures are necessary in order to ensure compliance with the GPDR and enable the controller to demonstrate such compliance. This assessment of proportionality follows from Article 52(1) CFR and has to be conducted by the controller itself. | |||
Certain provisions of the GPDR demand the implementation of more specific technical and organisational measures (e.g. Article 25 (1) and (2), Article 28(1), Article 32(1) GDPR, Article 89(1) GDPR). These measures can also be regarded as measures under Article 24(1) since they serve the compliance with the obligations under the GDPR. However, the controller has to assess in these cases if additional measures are necessary. | Certain provisions of the GPDR demand the implementation of more specific technical and organisational measures (e.g. Article 25 (1) and (2), Article 28(1), Article 32(1) GDPR, Article 89(1) GDPR). These measures can also be regarded as measures under Article 24(1) since they serve the compliance with the obligations under the GDPR. However, the controller has to assess in these cases if additional measures are necessary. | ||
==== And to demonstrate GDPR compliance ==== | ====And to demonstrate GDPR compliance==== | ||
Pursuant to Article 24(1) the controller must be able to demonstrate the compliance with the GDPR. This provision therefore widens the accountability obligation stipulated in [[Article 5 GDPR|Article 5(2) GDPR]] which obliges the controller to be able to demonstrate compliance with the data protection principles set out in [[Article 5 GDPR|Article 5(1) GDPR]].<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 24 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition) with further references.</ref> | Pursuant to Article 24(1) the controller must be able to demonstrate the compliance with the GDPR. This provision therefore widens the accountability obligation stipulated in [[Article 5 GDPR|Article 5(2) GDPR]] which obliges the controller to be able to demonstrate compliance with the data protection principles set out in [[Article 5 GDPR|Article 5(1) GDPR]].<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 24 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition) with further references.</ref> | ||
The ability to demonstrate compliance with the GDPR must be ensured by the implementation of appropriate technical and organisational measures. The comprehensiveness of the necessary evidence must be proportionate to the risk posed by the processing operation. The riskier a processing operation, the more comprehensive the accompanying evidence must be.<ref>''Martini'', in Paal, Pauly, DS-GVO, Article 24, margin number 25a (C.H. Beck 2021, 3rd Edition).</ref> The controller can use a wide variety of ways in order to demonstrate that it implemented appropriate technical and organisational measures that ensure compliance with the GDPR. In particular, the controller can refer to data protection policies (Article 24(2)) or approved codes of conduct or certification mechanisms (Article 24(3)). Recitals 77 | The ability to demonstrate compliance with the GDPR must be ensured by the implementation of appropriate technical and organisational measures. The comprehensiveness of the necessary evidence must be proportionate to the risk posed by the processing operation. The riskier a processing operation, the more comprehensive the accompanying evidence must be.<ref>''Martini'', in Paal, Pauly, DS-GVO, Article 24, margin number 25a (C.H. Beck 2021, 3rd Edition).</ref> The controller can use a wide variety of ways in order to demonstrate that it implemented appropriate technical and organisational measures that ensure compliance with the GDPR. In particular, the controller can refer to data protection policies (Article 24(2)) or approved codes of conduct or certification mechanisms (Article 24(3)). Recitals 77 additionally mentions EDPB guidelines and indications provided by the data protection officer. | ||
Certain provisions of the GDPR provide for specific measures to demonstrate compliance (e.g. maintaining a record of processing activities under [[Article 30 GDPR|Article 30(1)]] GDPR, documenting personal data breaches under [[Article 33 GDPR|Article 33(5) GDPR]] or performing a data protection impact assessment under [[Article 35 GDPR]]).<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 24 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition) with further references.</ref> | Certain provisions of the GDPR provide for specific measures to demonstrate compliance (e.g. maintaining a record of processing activities under [[Article 30 GDPR|Article 30(1)]] GDPR, documenting personal data breaches under [[Article 33 GDPR|Article 33(5) GDPR]] or performing a data protection impact assessment under [[Article 35 GDPR]]).<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 24 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition) with further references.</ref> | ||
The duty to demonstrate compliance is not limited to | The duty to demonstrate compliance is not limited to demonstrations to the supervisory authority. The duty, for example, also applies to complaint procedures in accordance with [[Article 77 GDPR]] or civil litigation under [[Article 79 GDPR]]. However, whether the controller’s obligation to demonstrate compliance also implies a reversal of the burden of proof when a data subject seeks compensation for damages pursuant to [[Article 82 GDPR|Article 82]], is disputed.<ref>instead of many: ''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 24 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition).</ref> | ||
==== Measures must be continuously reviewed and updated ==== | ====Measures must be continuously reviewed and updated ==== | ||
The controller must continuously ensure and demonstrate compliance with the GDPR by consistently reviewing existing measures and updating them. | The controller must continuously ensure and demonstrate compliance with the GDPR by consistently reviewing existing measures and updating them. | ||
Beyond the qualifier "''where necessary''", it is not specified how frequently updates must be carried out. The criterion of necessity does not mean that the controller must only react to concrete changes. Since it is the controller’s responsibility to ensure that their processing operations are compliant at any time, the controller has to review its measures regularly. However, ''significant changes'' in the processing activity or the legal environment will certainly trigger the obligation to review the technical and organisational measures.<ref>''Dumortier'', ''Gryffroy,'' in Spiecker gen. Döhmann, Papakonstantinou, Hornung, De Hert, General Data Protection Regulation, Article 24 marginal number 38 (C.H.Beck 2023).</ref> <blockquote> | Beyond the qualifier "''where necessary''", it is not specified how frequently updates must be carried out. The criterion of necessity does not mean that the controller must only react to concrete changes. Since it is the controller’s responsibility to ensure that their processing operations are compliant at any time, the controller has to review its measures regularly. However, ''significant changes'' in the processing activity or the legal environment will certainly trigger the obligation to review the technical and organisational measures.<ref>''Dumortier'', ''Gryffroy,'' in Spiecker gen. Döhmann, Papakonstantinou, Hornung, De Hert, General Data Protection Regulation, Article 24 marginal number 38 (C.H.Beck 2023).</ref> <blockquote>{{Quote-example|A controller running an online-shop receives a complaint from a data subject claiming that one of his online-forms violates the principle of data minimization ([[Article 5 GDPR|Article 5(1)(c) GDPR]]). Such a complaint could trigger a review of the processing activity.}}</blockquote>In course of the review the controller must assess if the current technical and organisational measures, are still appropriate and effective to ensure the compliance with the GDPR and to enable the controller to demonstrate the compliance. If not, the controller has to implement additional technical and organizational measures or change the existing ones in order to bring the processing activity in compliance with the GDPR.<ref>''Dumortier'', ''Gryffroy,'' in Spiecker gen. Döhmann, Papakonstantinou, Hornung, De Hert, General Data Protection Regulation, Article 24 marginal number 43 (C.H.Beck 2023)</ref> | ||
Particular attention should be paid to the advice of the data protection officer in accordance with [[Article 39 GDPR|Article 39(1) GDPR]], who is tasked with the monitoring of the controller’s compliance with data protection regulations (without decrementing the controller’s responsibility to ensure compliance). | Particular attention should be paid to the advice of the data protection officer in accordance with [[Article 39 GDPR|Article 39(1) GDPR]], who is tasked with the monitoring of the controller’s compliance with data protection regulations (without decrementing the controller’s responsibility to ensure compliance). | ||
=== (2) Data protection policies === | ===(2) Data protection policies=== | ||
Article 24(2) mentions a specific organisational measure, namely the implementation of ''data protection policies'' – internal guidelines with binding effect in the controller’s organization. Such policies regularly include concrete procedural instructions and oblige the controller’s employees to act in a specific way to ensure compliance with the GDPR.<ref>''Hötzendorfer'', ''Kastelitz'', ''Tschohl'', in Knyrim, DatKomm, Article 24 GDPR, margin numbers 31 (Manz 2022). </ref> If the controller appointed a data protection officer, this person is also tasked with the monitoring of the controller’s data protection policies (see [[Article 39 GDPR|Article 39(1)(b) GDPR]]) <blockquote> | Article 24(2) mentions a specific organisational measure, namely the implementation of ''data protection policies'' – internal guidelines with binding effect in the controller’s organization. Such policies regularly include concrete procedural instructions and oblige the controller’s employees to act in a specific way to ensure compliance with the GDPR.<ref>''Hötzendorfer'', ''Kastelitz'', ''Tschohl'', in Knyrim, DatKomm, Article 24 GDPR, margin numbers 31 (Manz 2022). </ref> If the controller appointed a data protection officer, this person is also tasked with the ''monitoring'' of the controller’s data protection policies (see [[Article 39 GDPR|Article 39(1)(b) GDPR]]). <blockquote>{{Quote-example|Most controllers have a ''general data protection policy'' covering topics like the destruction of sensitive documents, the usage of IT-infrastructure and deletion periods as well as more specific data protection policies like ''specific internal rules'' regarding the compliance with data protection in the product development process or the handling of access requests in accordance with Article 15 GDPR.}}</blockquote>The implementation of data protection policies is only mandatory, when it is ''proportionate'' to the processing activity. In other words, it is not obligatory to implement a data protection policy for all processing activities. However, for larger organisations or controllers of extensive processing activities the implementation of data protection policies is but necessary.<ref>Jos Dumortier, Pieter Gryffroy , Art 24 marginal number 24.</ref> | ||
Regardless of the existence of an obligation, an implementation of data protection policies is an important tool in order to ''demonstrate'' compliance with the GDPR. | Regardless of the existence of an obligation, an implementation of data protection policies is an important tool in order to ''demonstrate'' compliance with the GDPR. | ||
=== (3) Demonstration through codes of conduct and certifications === | === (3) Demonstration through codes of conduct and certifications=== | ||
Article 24(3) provides for the possibility to refer to the adherence to (i) approved codes of conduct ([[Article 40 GDPR]]), (ii) approved certification mechanisms ([[Article 42 GDPR]]) in order to ''indicate'' compliance with the GDPR | Article 24(3) provides for the possibility to refer to the adherence to (i) approved codes of conduct ([[Article 40 GDPR]]), (ii) approved certification mechanisms ([[Article 42 GDPR]]) in order to ''indicate'' compliance with the GDPR. Nevertheless, it follows from the word "''element''" that such self-regulation measures ''support'' the assumption that the controller is compliant, but do not prove it.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 23, margin number 23 (C.H. Beck 2024, 4rd Edition).</ref><blockquote>{{Quote-example|A credit information agency adheres to approved codes of conduct when implementing deletion periods for certain data categories could still violate [[Article 5 GDPR|Article 5(1)(a)]] and [[Article 6 GDPR|Article 6(1) GDPR]] because the duration of those deletion periods are unjustified.<ref>CJEU, Joined Cases C‑26/22 and C‑64/22, ''SCHUFA'' ''Holding AG'', 07 December 2023, margin number 109 (available [[CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA|here]]) </ref>}}</blockquote>This provision does not limit the possibility to demonstrate compliance via other means (see section on “And to demonstrate GDPR compliance” above). | ||
==Decisions== | ==Decisions== | ||
→ You can find all related decisions in [[:Category:Article 24 GDPR]] | → You can find all related decisions in [[:Category:Article 24 GDPR]] |
Latest revision as of 07:25, 30 October 2024
Legal Text
1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.
Relevant Recitals
Commentary
This provision opens Section 1 of Chapter IV, which is dedicated to the “General obligations” of the controller and processor. Article 24 stipulates the abstract obligation of the controller to ensure and demonstrate GDPR compliance and expands the accountability principle set out in Article 5(2) GDPR. Article 24 is therefore closely connected to the more specific obligations of the controller, such as Article 25 GDPR or Article 32 GDPR.[1] This article assigns a proactive role to the controller, who has to ensure compliance with the GDPR at all stages of processing.[2] To achieve this goal, the controller uses technical and organisational measures that are appropriate to the risk connected to the processing (risk based approach).[3]
The controller is not only responsible for actual compliance with the GDPR; it must also be able to demonstrate compliance. The controller can use codes of conduct or approved certification mechanisms as an element of such demonstration.
Article 24 GDPR is the only article in the section on the general obligations which cannot be directly penalised with a fine under Article 83(4)(a) or Article 83(5) GDPR.[4]
EDPB and WP29 Guidelines: For this Article there are the (i) EDPB, 'Guidelines 07/2020 on the concepts of controller and processor in the GDPR', 7 July 2021 (Version 2.1) (available here), (ii) WP29, 'Opinion 3/2010 on the principle of accountability', 00062/10/EN WP173, 13 July 2010 (available here), (iii) WP29, 'Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679' 17/EN WP248 rev.01, 4 April 2017 (available here).
(1) Obligation to implement appropriate technical and organisational measures
This provision obliges the controller to implement appropriate technical and organisational measures to ensure compliance of its processing activities with the GDPR. Therefore, this provision addresses the controller (Article 4(7) GDPR) as the primary addressee for GDPR compliance. Other entities, such as data processors, are not subject of Article 24 and their responsibility is limited to specific aspects regulated separately. However, even a limited responsibility of a processor does not affect the overall accountability and liability of the controller.[5]
Article 24(1) goes beyond the mere compliance with the GDPR. The controller must also be able to demonstrate that the processing is performed in accordance with the GDPR.
For example: It is not sufficient that a controller manages to answer to access requests in accordance with Article 12 GDPR and Article 15 GDPR. The controller must also be able to demonstrate that it implemented appropriate technical and organisational measures that ensure such compliance with the data subject's right to access.
The technical and organisational measures implemented by the controller are subject to change and must be reviewed and updated regularly in order to ensure the appropriateness of those measures.
It should be noted that the GDPR imposes the duty to implement appropriate technical and organisational measures and to perform a respective risk assessment in a number of its provisions (e.g. in Articles 24, 25, 32 and 35). A controller usually performs one risk assessment for each processing activity taking into account all the requirements set out in the different provisions of the GDPR and implements then appropriate technical and organisational measures that best comply with all those provision.
Taking into account...
To decide which specific technical and organisational measures to implement, the controller must perform a comprehensive assessment of processing activities and analyse potential consequences and causes of harm in order to effectively evaluate and mitigate risks associated with the data processing.
Nature, scope, context and purposes of the processing
The controller must consider the nature, scope, context and purposes of the processing.[6]
The nature of the processing refers in particular to the type or processing (e.g. collection, recording, storing, etc.) as well as to the categories of data processed (e.g. whether special categories of personal data are processed).[7]
The scope of the processing refers to the quantity of the data processing resulting from the amount of affected data subjects, the amount of processed data, the duration and the geographical extend of the data processing.[8]
The context of the processing refers to the specific circumstances such as the modalities and technical implementation, the type and method of data collection and the legal basis in accordance with Article 6 GDPR.[9]
The controller also has to consider the purposes of the processing. See the commentary on Article 5(1)(b) GDPR for more details on the purpose of a processing activity.
Risks of varying likelihood and severity for rights and freedoms of natural persons
Second, the controller must identify the risks associated with the respective processing activity and assess the severity of those risks for the rights and freedoms of natural persons, as well as the likelihood that these materialise.
The likelihood is the statistical probability that a certain risk will materialise in the future. It should be noted that some risks are inherent to processing activities – the likelihood is therefore 100 %.[10]
The severity of the risk is determined by the extent a potential damage would have to the rights and freedoms of a natural person as well as the nature of the damage.[11] Recital 75 clarifies that the damage can be physical, material, or immaterial and lists a range of examples of damages, such as discrimination, identity theft, fraud and loss of confidentiality or control.
According to Recital 76 the likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. It also states that the risk should be evaluated on the basis of an objective assessment.
Article 24 does not prescribe procedural steps on how to perform this assessment. Therefore, it is left to the controller to use a suitable method. However, regarding the methodology, reference can be made to the risk assessment in the course of a data protection impact assessment in accordance with Article 35 GDPR, which a controller has to carry out if a processing activity is likely to result in a high risk for the rights and freedoms of natural persons.
Shall implement appropriate technical and organisational measures to ensure GDPR compliance
Technical and organisational measures
The term "measure" must be understood broadly since it refers to all actions that are appropriate to make the processing compliant with the GDPR. As the provision explains, this can be done through technical and organisational means.
Technical measures have a direct effect on the operation of technical processing, while organisational measures have an effect on the circumstances of processing.[12]
Examples of a technical measure are pseudonymisation of personal data, encryption, access restrictions and password protection. The implementation of data protection policies, a yearly review of the processing activities and training of employees and management would be organisational measures. In practice, the distinction between technical and organisational measures is not always clear as these can overlap. However, this is unproblematic because the GDPR does not differentiate between the two in terms of legal requirements.[13]
For example: A controller wants to enable its employees to work from home. In order to ensure GDPR compliance, he implements a number of technical and organisational measures, like providing a VPN connection to the company network (technical measure) and drafting a “work from home” policy which makes the use of the VPN connection mandatory (organisational measure).
Appropriate measures to ensure GDPR compliance
The controller has to implement technical and organisational measures that are appropriate for the respective processing activity and effective.[14] Therefore, the controller does not have to implement every available technical and organisational measure but has to consider – taking into account the specific processing activity and the underlying risks – which measures are necessary in order to ensure compliance with the GPDR and enable the controller to demonstrate such compliance. This assessment of proportionality follows from Article 52(1) CFR and has to be conducted by the controller itself.
Certain provisions of the GPDR demand the implementation of more specific technical and organisational measures (e.g. Article 25 (1) and (2), Article 28(1), Article 32(1) GDPR, Article 89(1) GDPR). These measures can also be regarded as measures under Article 24(1) since they serve the compliance with the obligations under the GDPR. However, the controller has to assess in these cases if additional measures are necessary.
And to demonstrate GDPR compliance
Pursuant to Article 24(1) the controller must be able to demonstrate the compliance with the GDPR. This provision therefore widens the accountability obligation stipulated in Article 5(2) GDPR which obliges the controller to be able to demonstrate compliance with the data protection principles set out in Article 5(1) GDPR.[15]
The ability to demonstrate compliance with the GDPR must be ensured by the implementation of appropriate technical and organisational measures. The comprehensiveness of the necessary evidence must be proportionate to the risk posed by the processing operation. The riskier a processing operation, the more comprehensive the accompanying evidence must be.[16] The controller can use a wide variety of ways in order to demonstrate that it implemented appropriate technical and organisational measures that ensure compliance with the GDPR. In particular, the controller can refer to data protection policies (Article 24(2)) or approved codes of conduct or certification mechanisms (Article 24(3)). Recitals 77 additionally mentions EDPB guidelines and indications provided by the data protection officer.
Certain provisions of the GDPR provide for specific measures to demonstrate compliance (e.g. maintaining a record of processing activities under Article 30(1) GDPR, documenting personal data breaches under Article 33(5) GDPR or performing a data protection impact assessment under Article 35 GDPR).[17]
The duty to demonstrate compliance is not limited to demonstrations to the supervisory authority. The duty, for example, also applies to complaint procedures in accordance with Article 77 GDPR or civil litigation under Article 79 GDPR. However, whether the controller’s obligation to demonstrate compliance also implies a reversal of the burden of proof when a data subject seeks compensation for damages pursuant to Article 82, is disputed.[18]
Measures must be continuously reviewed and updated
The controller must continuously ensure and demonstrate compliance with the GDPR by consistently reviewing existing measures and updating them.
Beyond the qualifier "where necessary", it is not specified how frequently updates must be carried out. The criterion of necessity does not mean that the controller must only react to concrete changes. Since it is the controller’s responsibility to ensure that their processing operations are compliant at any time, the controller has to review its measures regularly. However, significant changes in the processing activity or the legal environment will certainly trigger the obligation to review the technical and organisational measures.[19]
For example: A controller running an online-shop receives a complaint from a data subject claiming that one of his online-forms violates the principle of data minimization (Article 5(1)(c) GDPR). Such a complaint could trigger a review of the processing activity.
In course of the review the controller must assess if the current technical and organisational measures, are still appropriate and effective to ensure the compliance with the GDPR and to enable the controller to demonstrate the compliance. If not, the controller has to implement additional technical and organizational measures or change the existing ones in order to bring the processing activity in compliance with the GDPR.[20]
Particular attention should be paid to the advice of the data protection officer in accordance with Article 39(1) GDPR, who is tasked with the monitoring of the controller’s compliance with data protection regulations (without decrementing the controller’s responsibility to ensure compliance).
(2) Data protection policies
Article 24(2) mentions a specific organisational measure, namely the implementation of data protection policies – internal guidelines with binding effect in the controller’s organization. Such policies regularly include concrete procedural instructions and oblige the controller’s employees to act in a specific way to ensure compliance with the GDPR.[21] If the controller appointed a data protection officer, this person is also tasked with the monitoring of the controller’s data protection policies (see Article 39(1)(b) GDPR).
For example: Most controllers have a general data protection policy covering topics like the destruction of sensitive documents, the usage of IT-infrastructure and deletion periods as well as more specific data protection policies like specific internal rules regarding the compliance with data protection in the product development process or the handling of access requests in accordance with Article 15 GDPR.
The implementation of data protection policies is only mandatory, when it is proportionate to the processing activity. In other words, it is not obligatory to implement a data protection policy for all processing activities. However, for larger organisations or controllers of extensive processing activities the implementation of data protection policies is but necessary.[22]
Regardless of the existence of an obligation, an implementation of data protection policies is an important tool in order to demonstrate compliance with the GDPR.
(3) Demonstration through codes of conduct and certifications
Article 24(3) provides for the possibility to refer to the adherence to (i) approved codes of conduct (Article 40 GDPR), (ii) approved certification mechanisms (Article 42 GDPR) in order to indicate compliance with the GDPR. Nevertheless, it follows from the word "element" that such self-regulation measures support the assumption that the controller is compliant, but do not prove it.[23]
For example: A credit information agency adheres to approved codes of conduct when implementing deletion periods for certain data categories could still violate Article 5(1)(a) and Article 6(1) GDPR because the duration of those deletion periods are unjustified.[24]
This provision does not limit the possibility to demonstrate compliance via other means (see section on “And to demonstrate GDPR compliance” above).
Decisions
→ You can find all related decisions in Category:Article 24 GDPR
References
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 11 (C.H. Beck 2024, 4th Edition).
- ↑ Docksey, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 24 GDPR, p. 557 (Oxford University Press 2020).
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 11 (C.H. Beck 2024, 4th Edition).
- ↑ However, this does not mean that the provision is merely declaratory: it also establishes directly applicable obligations. Plath, in Plath DSGVO BDSG, Article 24 GDPR, margin number 2 (Ottoschmidt 2018, 3rd Edition).
- ↑ Petri, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 24 GDPR, margin number 9 (C.H. Beck 2019).
- ↑ The attribution of the various conditions to these criteria is not practised consistently.
- ↑ Pollirer, in Knyrim, DatKomm, Article 32 GDPR, margin numbers 23 (Manz 2022).
- ↑ Pollirer, in Knyrim, DatKomm, Article 32 GDPR, margin numbers 23 (Manz 2022).
- ↑ Pollirer, in Knyrim, DatKomm, Article 32 GDPR, margin numbers 23 (Manz 2022).
- ↑ Hötzendorfer, Kastelitz, Tschohl, in Knyrim, DatKomm, Article 24 GDPR, margin numbers 20 (Manz 2022).
- ↑ Hötzendorfer, Kastelitz, Tschohl, in Knyrim, DatKomm, Article 24 GDPR, margin numbers 21 (Manz 2022).
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 17 (C.H. Beck 2024, 4th Edition).
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 17 (C.H. Beck 2024, 4th Edition).
- ↑ Dumortier, Gryffroy, in Spiecker gen. Döhmann, Papakonstantinou, Hornung, De Hert, General Data Protection Regulation, Article 24 marginal number 27 et seq (C.H.Beck 2023).
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition) with further references.
- ↑ Martini, in Paal, Pauly, DS-GVO, Article 24, margin number 25a (C.H. Beck 2021, 3rd Edition).
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition) with further references.
- ↑ instead of many: Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition).
- ↑ Dumortier, Gryffroy, in Spiecker gen. Döhmann, Papakonstantinou, Hornung, De Hert, General Data Protection Regulation, Article 24 marginal number 38 (C.H.Beck 2023).
- ↑ Dumortier, Gryffroy, in Spiecker gen. Döhmann, Papakonstantinou, Hornung, De Hert, General Data Protection Regulation, Article 24 marginal number 43 (C.H.Beck 2023)
- ↑ Hötzendorfer, Kastelitz, Tschohl, in Knyrim, DatKomm, Article 24 GDPR, margin numbers 31 (Manz 2022).
- ↑ Jos Dumortier, Pieter Gryffroy , Art 24 marginal number 24.
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 23, margin number 23 (C.H. Beck 2024, 4rd Edition).
- ↑ CJEU, Joined Cases C‑26/22 and C‑64/22, SCHUFA Holding AG, 07 December 2023, margin number 109 (available here)