Article 24 GDPR: Difference between revisions
(→Commentary on Article 24: Added introduction on purpose and innovative aspect) |
|||
Line 197: | Line 197: | ||
==Commentary on Article 24== | ==Commentary on Article 24== | ||
Article 24 GDPR opens Section 1 of | ''Purpose'' | ||
Article 24 GDPR opens Chapter 4’s Section 1, which is dedicated to the “''General obligations''” of the controller and processor. It provides an overview of the controller’s essential responsibility as the first addressee for compliance with the provisions of the GDPR.<ref>''Hartung'', in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 1 (C.H.Beck 2020).</ref> Since it provides an overview, the actual obligations that follow from the controller’s responsibility are described more specifically in other provisions, such as Article 25 or Article 32.<ref>''Hartung'', in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 11 (C.H.Beck 2020).</ref> However, according to ''Plath'', this does not mean that the provision is merely declaratory: it also establishes directly applicable obligations.<ref>''Hartung'', in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 11 (C.H.Beck 2020) referring to ''Plath,'' in Plath Art. 24, para 2.</ref> | |||
''Innovative aspect'' | |||
Although the provision speaks of “responsibility”, it imposes accountability on the controller, next to Article 5(2) GDPR.<ref>''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 24 GDPR, p. 557 (Oxford University Press 2020).</ref> According to ''Docksey'', this principle is one of the GDPR’s most innovative aspects,<ref>''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 24 GDPR, p. 557 (Oxford University Press 2020).</ref> since meaning has developed from ‘passive’ responsibility to a concept of ‘proactive’ and demonstrable compliance.<ref>''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 24 GDPR, p. 561 (Oxford University Press 2020).</ref> Hence, the controller’s processing operations must be known (“taking into account”), controlled (through “appropriate technical and organisational measures”) and regularly reviewed (“updated where necessary”), so that controller must do so to “ensure” compliance with the Regulation. | |||
===(1) Appropriate Technical and Organisational Measures=== | ===(1) Appropriate Technical and Organisational Measures=== |
Revision as of 15:17, 14 February 2022
Legal Text
1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.
Relevant Recitals
Commentary on Article 24
Purpose
Article 24 GDPR opens Chapter 4’s Section 1, which is dedicated to the “General obligations” of the controller and processor. It provides an overview of the controller’s essential responsibility as the first addressee for compliance with the provisions of the GDPR.[1] Since it provides an overview, the actual obligations that follow from the controller’s responsibility are described more specifically in other provisions, such as Article 25 or Article 32.[2] However, according to Plath, this does not mean that the provision is merely declaratory: it also establishes directly applicable obligations.[3]
Innovative aspect
Although the provision speaks of “responsibility”, it imposes accountability on the controller, next to Article 5(2) GDPR.[4] According to Docksey, this principle is one of the GDPR’s most innovative aspects,[5] since meaning has developed from ‘passive’ responsibility to a concept of ‘proactive’ and demonstrable compliance.[6] Hence, the controller’s processing operations must be known (“taking into account”), controlled (through “appropriate technical and organisational measures”) and regularly reviewed (“updated where necessary”), so that controller must do so to “ensure” compliance with the Regulation.
(1) Appropriate Technical and Organisational Measures
The controller must implement effective technical and organisational measures to ensure compliance with the entire GDPR, including respect of data protection principles (Article 5 GDPR), data subject’s rights (amongst others, Articles 12 to 22 GDPR) and controller’s obligations.
To obtain such a result, the controller must study the processing, and select the most appropriate measures among the different options available. The appropriateness of a measure shall be defined considering the “nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons”. However, the provision does not provide clear instructions as to how these elements interact. It follows that EDPB’s position and DPAs’ decisions will play an essential role in defining what was appropriate and what was not.
Controllers not only have to “ensure” compliance they also have to “demonstrate” it. Since the term “compliance” includes all the GDPR provisions, the burden of proof will cover the very same items.
The burden of proof is not limited to the mere keeping of the typical documents (registry of the processing activities, data protection impact assessment, where required). If the controller has to demonstrate compliance with the GDPR, then many other aspects should be considered.
For instance, Article 5(1)(c) GDPR establishes the data minimisation principle under which processing shall be limited to “what is necessary in relation to the purposes for which they are processed”. Therefore, the controller should demonstrate why specific processing needed a certain amount of information and not any less. Again, if the processing is based on consent, controllers must prove whether the user’s decision was validly obtained and justify every consent requirement.
(2) Data Protection Policies
Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller. These practices can assist the controller in demonstrating compliance.
(3) Codes of Conduct as Evidence of Compliance
You can help us fill this section!
Decisions
→ You can find all related decisions in Category:Article 24 GDPR
References
- ↑ Hartung, in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 1 (C.H.Beck 2020).
- ↑ Hartung, in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 11 (C.H.Beck 2020).
- ↑ Hartung, in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 11 (C.H.Beck 2020) referring to Plath, in Plath Art. 24, para 2.
- ↑ Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 24 GDPR, p. 557 (Oxford University Press 2020).
- ↑ Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 24 GDPR, p. 557 (Oxford University Press 2020).
- ↑ Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 24 GDPR, p. 561 (Oxford University Press 2020).