Article 24 GDPR: Difference between revisions
Line 2: | Line 2: | ||
![[Article 23 GDPR|←]] Article 24 - Responsibility of the controller [[Article 25 GDPR|→]] | ![[Article 23 GDPR|←]] Article 24 - Responsibility of the controller [[Article 25 GDPR|→]] | ||
|- | |- | ||
|style="padding: 20px; background-color:#003399;"|[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]] | | style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]] | ||
|- | |- | ||
| | | | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 17: | Line 17: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 31: | Line 31: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 50: | Line 50: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible | <div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 77: | Line 77: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 91: | Line 91: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 107: | Line 107: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 131: | Line 131: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 146: | Line 146: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 160: | Line 160: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 169: | Line 169: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 184: | Line 184: | ||
|} | |} | ||
== Legal Text == | ==Legal Text== | ||
<br /><center>'''Article 24 - Responsibility of the controller'''</center><br /> | <br /><center>'''Article 24 - Responsibility of the controller'''</center><br /> | ||
Line 206: | Line 206: | ||
</div></div> | </div></div> | ||
== Commentary == | ==Commentary== | ||
'' | === Overview === | ||
Article 24 opens Section 1 of Chapter 5 of the GDPR, dedicated to the “''General obligations''” of controller and processor. This provision introduces one of the most innovative aspects of the GDPR as it holds the controller accountable for the processing operations, which must be known (“''taking into account''”), controlled (through “''appropriate technical and organisational measures''”) and regularly reviewed (“''updated where necessary''”). The controller must do so to “''ensure''” compliance with the Regulation. | |||
== Decisions == | === Appropriate technical and organisational measures === | ||
The controller must implement effective technical and organisational measures to ensure compliance with the entire GDPR, including respect of data protection principles (Article 5), data subject’s rights (amongst the others, Article 12-22) and controller’s obligations. | |||
To obtain such a result, the controller must study the processing, and select the most appropriate measures among the different options available. The appropriateness of a measure shall be defined considering the “''nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons''”. However, the provision does not provide clear instructions as to how these elements interact. It follows that EDPB’s position and DPAs’ decisions will play an essential role in defining what was appropriate and what was not. | |||
=== Demonstrate compliance === | |||
Controllers not only have to “''ensure''” compliance they also have to “''demonstrate''” it. Since the term “compliance” includes all the GDPR provisions, the burden of proof will cover the very same items. | |||
The burden of proof is not limited to the mere keeping of the typical documents (registry of the processing activities, data protection impact assessment, where required). If the controller has to demonstrate compliance with the GDPR, then many other aspects should be considered. | |||
For instance, Article 5(1)(c) establishes the data minimisation principle under which processing shall be limited to “''what is necessary in relation to the purposes for which they are processed''”. Therefore, the controller should demonstrate why specific processing needed a certain amount of information and not any less. Again, if the processing is based on consent, controllers must prove whether the user’s decision was validly obtained and justify every consent requirement. | |||
Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller. These practices can assist the controller in demonstrating compliance. | |||
==Decisions== | |||
→ You can find all related decisions in [[:Category:Article 24 GDPR]] | → You can find all related decisions in [[:Category:Article 24 GDPR]] | ||
== References == | ==References== | ||
<references /> | <references /> | ||
[[Category:Article 24 GDPR]] [[Category:GDPR]] | [[Category:Article 24 GDPR]] | ||
[[Category:GDPR]] |
Revision as of 11:05, 9 February 2021
Legal Text
1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.
Relevant Recitals
The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.
The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.
Commentary
Overview
Article 24 opens Section 1 of Chapter 5 of the GDPR, dedicated to the “General obligations” of controller and processor. This provision introduces one of the most innovative aspects of the GDPR as it holds the controller accountable for the processing operations, which must be known (“taking into account”), controlled (through “appropriate technical and organisational measures”) and regularly reviewed (“updated where necessary”). The controller must do so to “ensure” compliance with the Regulation.
Appropriate technical and organisational measures
The controller must implement effective technical and organisational measures to ensure compliance with the entire GDPR, including respect of data protection principles (Article 5), data subject’s rights (amongst the others, Article 12-22) and controller’s obligations.
To obtain such a result, the controller must study the processing, and select the most appropriate measures among the different options available. The appropriateness of a measure shall be defined considering the “nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons”. However, the provision does not provide clear instructions as to how these elements interact. It follows that EDPB’s position and DPAs’ decisions will play an essential role in defining what was appropriate and what was not.
Demonstrate compliance
Controllers not only have to “ensure” compliance they also have to “demonstrate” it. Since the term “compliance” includes all the GDPR provisions, the burden of proof will cover the very same items.
The burden of proof is not limited to the mere keeping of the typical documents (registry of the processing activities, data protection impact assessment, where required). If the controller has to demonstrate compliance with the GDPR, then many other aspects should be considered.
For instance, Article 5(1)(c) establishes the data minimisation principle under which processing shall be limited to “what is necessary in relation to the purposes for which they are processed”. Therefore, the controller should demonstrate why specific processing needed a certain amount of information and not any less. Again, if the processing is based on consent, controllers must prove whether the user’s decision was validly obtained and justify every consent requirement.
Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller. These practices can assist the controller in demonstrating compliance.
Decisions
→ You can find all related decisions in Category:Article 24 GDPR