Article 24 GDPR: Difference between revisions
(→(2) Data Protection Policies: Comprised references) |
(→(1) Appropriate Technical and Organisational Measures: Changed sub-headings for layout) |
||
Line 204: | Line 204: | ||
The controller must implement effective technical and organisational measures to ensure compliance with the entire GDPR, including respect of data protection principles ([[Article 5 GDPR]]), data subject’s rights (amongst others, [[Article 12 GDPR|Articles 12]] to [[Article 22 GDPR|22 GDPR]]) and controller’s obligations. | The controller must implement effective technical and organisational measures to ensure compliance with the entire GDPR, including respect of data protection principles ([[Article 5 GDPR]]), data subject’s rights (amongst others, [[Article 12 GDPR|Articles 12]] to [[Article 22 GDPR|22 GDPR]]) and controller’s obligations. | ||
==== '''Measures''' ==== | |||
The term "measure" must be understood broadly since it refers to all actions that are appropriate in serving the purpose of achieving compliance of the processing with the GDPR. As the provision explains, this can be done through technical and organisational means. Technical measures are measures of which its technical effect lies in the functionality of the technique, for example by securing the access (password protection) or transfer (encryption). Of course, these technical measures would not mean a lot if there were no organisational measures that secure compliance with these technical measures. One can think of the implementation of sampling routines, the duty to log activities, or training of employees by the DPO.<ref>''Martini'', in Paal & Pauly, DS-GVO Art. 24, paras 20a-22 (C.H.Beck 2021). </ref> Other examples of "measures" are given in Recital 78, which lists pseudonymisation, data minimisation, and "''transparency with regard to the functions and processing of personal data''". It must be noted, however, that it is not always clear to distinct between technical and organisational measures, since these can overlap. However, as ''Hartung'' mentions, this is not really a problem since the GDPR does not differentiate in terms of legal requirements.<ref>''Hartung'', in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 11 (C.H.Beck 2020) referring to ''Plath,'' in Plath Art. 24, para 17.</ref> | The term "measure" must be understood broadly since it refers to all actions that are appropriate in serving the purpose of achieving compliance of the processing with the GDPR. As the provision explains, this can be done through technical and organisational means. Technical measures are measures of which its technical effect lies in the functionality of the technique, for example by securing the access (password protection) or transfer (encryption). Of course, these technical measures would not mean a lot if there were no organisational measures that secure compliance with these technical measures. One can think of the implementation of sampling routines, the duty to log activities, or training of employees by the DPO.<ref>''Martini'', in Paal & Pauly, DS-GVO Art. 24, paras 20a-22 (C.H.Beck 2021). </ref> Other examples of "measures" are given in Recital 78, which lists pseudonymisation, data minimisation, and "''transparency with regard to the functions and processing of personal data''". It must be noted, however, that it is not always clear to distinct between technical and organisational measures, since these can overlap. However, as ''Hartung'' mentions, this is not really a problem since the GDPR does not differentiate in terms of legal requirements.<ref>''Hartung'', in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 11 (C.H.Beck 2020) referring to ''Plath,'' in Plath Art. 24, para 17.</ref> | ||
==== '''Risk-based approach - elements''' ==== | |||
To know which measures should be implemented, the controller must perform an assessment to select the most appropriate ones among the different options available. The provision lists several elements that the controller must take into account when assessing the risk. First, there are the ''nature'' of the processing (manual or automated), the ''scope'' of the processing (amount of data subjects affected, amount of data collected, bulk or individual processing, sensitivity of the data), the ''context'' of the processing (how many parties are involved, which systems are used, etc.), and the ''purposes'' of the processing.<ref>''Hartung'', in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 14 (C.H.Beck 2020).</ref> Second, the controller must assess the severity of the risk for the rights and freedoms of natural persons, ''and'' the likelihood that this risk materialises. Whereas Article 17 of the Data Protection Directive (DPD) merely mentioned the latter element, the controller must now also consider the likelihood of the materialisation.<ref>''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 24 GDPR, p. 564 (Oxford University Press 2020).</ref> | To know which measures should be implemented, the controller must perform an assessment to select the most appropriate ones among the different options available. The provision lists several elements that the controller must take into account when assessing the risk. First, there are the ''nature'' of the processing (manual or automated), the ''scope'' of the processing (amount of data subjects affected, amount of data collected, bulk or individual processing, sensitivity of the data), the ''context'' of the processing (how many parties are involved, which systems are used, etc.), and the ''purposes'' of the processing.<ref>''Hartung'', in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 14 (C.H.Beck 2020).</ref> Second, the controller must assess the severity of the risk for the rights and freedoms of natural persons, ''and'' the likelihood that this risk materialises. Whereas Article 17 of the Data Protection Directive (DPD) merely mentioned the latter element, the controller must now also consider the likelihood of the materialisation.<ref>''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 24 GDPR, p. 564 (Oxford University Press 2020).</ref> | ||
Recital 75 gives useful guidance to determine what this risk actually entails. Besides making clear that the damage can be physical, material, or immaterial, it lists a long list of examples of damages, such as discrimination, identity theft or fraud. However, it also mentions "''loss of confidentiality of personal data protected by professional secrecy''". Moreover, it is important to note that, although this is not mentioned in the provision, it follows from Article 52(1) Chapter of Fundamental Rights, that the principle of proportionality plays an important part in determining whether or not a measure is appropriate. Hence, the cost-effectiveness of a measure can play an important part in the assessment.<ref>''Martini'', in Paal & Pauly, DS-GVO Art. 24, para 24 (C.H.Beck 2021).</ref> Lastly, although GDPR prescribes that the controller must determine the risk, it does not provide procedural steps on ''how'' to perform this assessment.<ref>''Martini'', in Paal & Pauly, DS-GVO Art. 24, para 36 (C.H.Beck 2021).</ref> However, many DPA's, as well as the EDPB, provide guidelines for controllers to rely on. | Recital 75 gives useful guidance to determine what this risk actually entails. Besides making clear that the damage can be physical, material, or immaterial, it lists a long list of examples of damages, such as discrimination, identity theft or fraud. However, it also mentions "''loss of confidentiality of personal data protected by professional secrecy''". Moreover, it is important to note that, although this is not mentioned in the provision, it follows from Article 52(1) Chapter of Fundamental Rights, that the principle of proportionality plays an important part in determining whether or not a measure is appropriate. Hence, the cost-effectiveness of a measure can play an important part in the assessment.<ref>''Martini'', in Paal & Pauly, DS-GVO Art. 24, para 24 (C.H.Beck 2021).</ref> Lastly, although GDPR prescribes that the controller must determine the risk, it does not provide procedural steps on ''how'' to perform this assessment.<ref>''Martini'', in Paal & Pauly, DS-GVO Art. 24, para 36 (C.H.Beck 2021).</ref> However, many DPA's, as well as the EDPB, provide guidelines for controllers to rely on. | ||
==== '''Demonstrating and updating''' ==== | |||
Controllers not only have to ensure compliance, they also have to demonstrate it by providing evidence. This comprehensiveness of this evidence must be proportionate to the risk of the processing operation: the more risky a processing operation is, the more comprehensive the evidence must be. Conversely, with a low risk, a witness statement might already suffice, instead of physical documentation. Like other elements of the provision, this requirement is further specified in other provisions, like the maintaining of records of processing activities in [[Article 30 GDPR#1|Article 30(1)]], or the documenting of any personal data breaches in [[Article 33 GDPR#5|Article 33(5) GDPR]]. The fact that de controller has to demonstrate compliance, however, does not necessarily imply that the burden of proof lies with the controller in case of a claim under civil law. If a data subject asserts a claim for damages under [[Article 82 GDPR]], then ''they'' have to prove the violation of data protection law, their damages, and the causality.<ref>''Martini'', in Paal & Pauly, DS-GVO Art. 24, paras 25-25d (C.H.Beck 2021).</ref> | Controllers not only have to ensure compliance, they also have to demonstrate it by providing evidence. This comprehensiveness of this evidence must be proportionate to the risk of the processing operation: the more risky a processing operation is, the more comprehensive the evidence must be. Conversely, with a low risk, a witness statement might already suffice, instead of physical documentation. Like other elements of the provision, this requirement is further specified in other provisions, like the maintaining of records of processing activities in [[Article 30 GDPR#1|Article 30(1)]], or the documenting of any personal data breaches in [[Article 33 GDPR#5|Article 33(5) GDPR]]. The fact that de controller has to demonstrate compliance, however, does not necessarily imply that the burden of proof lies with the controller in case of a claim under civil law. If a data subject asserts a claim for damages under [[Article 82 GDPR]], then ''they'' have to prove the violation of data protection law, their damages, and the causality.<ref>''Martini'', in Paal & Pauly, DS-GVO Art. 24, paras 25-25d (C.H.Beck 2021).</ref> | ||
Revision as of 15:19, 17 February 2022
Legal Text
1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.
Relevant Recitals
Commentary on Article 24
This provision opens Chapter 4’s Section 1, which is dedicated to the “General obligations” of the controller and processor. It provides an overview of the controller’s essential responsibility as the first addressee for compliance with the provisions of the GDPR.[1] Since it provides an overview, the actual obligations that follow from the controller’s responsibility are described more specifically in other provisions, such as Article 25 GDPR or Article 32 GDPR.[2] However, according to Plath, this does not mean that the provision is merely declaratory: it also establishes directly applicable obligations.[3] Nevertheless, Article 24 is the only provision in this section, where a violation cannot be sanctioned with a fine under Article 83(4)(a) or Article 83(5) GDPR. As Hartung notes, this supports the view that the provision is intended as a general provision that provides an overview of the controller.
Although the provision speaks of “responsibility”, it imposes accountability on the controller, next to Article 5(2) GDPR. According to Docksey, this principle is one of the GDPR’s most innovative aspects, since meaning has developed from ‘passive’ responsibility to a concept of ‘proactive’ and demonstrable compliance.[4] Hence, the controller’s processing operations must be known (“taking into account”), controlled (through “appropriate technical and organisational measures”) and regularly reviewed (“updated where necessary”), so that the controller can “ensure” compliance with the Regulation.
(1) Appropriate Technical and Organisational Measures
The controller must implement effective technical and organisational measures to ensure compliance with the entire GDPR, including respect of data protection principles (Article 5 GDPR), data subject’s rights (amongst others, Articles 12 to 22 GDPR) and controller’s obligations.
Measures
The term "measure" must be understood broadly since it refers to all actions that are appropriate in serving the purpose of achieving compliance of the processing with the GDPR. As the provision explains, this can be done through technical and organisational means. Technical measures are measures of which its technical effect lies in the functionality of the technique, for example by securing the access (password protection) or transfer (encryption). Of course, these technical measures would not mean a lot if there were no organisational measures that secure compliance with these technical measures. One can think of the implementation of sampling routines, the duty to log activities, or training of employees by the DPO.[5] Other examples of "measures" are given in Recital 78, which lists pseudonymisation, data minimisation, and "transparency with regard to the functions and processing of personal data". It must be noted, however, that it is not always clear to distinct between technical and organisational measures, since these can overlap. However, as Hartung mentions, this is not really a problem since the GDPR does not differentiate in terms of legal requirements.[6]
Risk-based approach - elements
To know which measures should be implemented, the controller must perform an assessment to select the most appropriate ones among the different options available. The provision lists several elements that the controller must take into account when assessing the risk. First, there are the nature of the processing (manual or automated), the scope of the processing (amount of data subjects affected, amount of data collected, bulk or individual processing, sensitivity of the data), the context of the processing (how many parties are involved, which systems are used, etc.), and the purposes of the processing.[7] Second, the controller must assess the severity of the risk for the rights and freedoms of natural persons, and the likelihood that this risk materialises. Whereas Article 17 of the Data Protection Directive (DPD) merely mentioned the latter element, the controller must now also consider the likelihood of the materialisation.[8]
Recital 75 gives useful guidance to determine what this risk actually entails. Besides making clear that the damage can be physical, material, or immaterial, it lists a long list of examples of damages, such as discrimination, identity theft or fraud. However, it also mentions "loss of confidentiality of personal data protected by professional secrecy". Moreover, it is important to note that, although this is not mentioned in the provision, it follows from Article 52(1) Chapter of Fundamental Rights, that the principle of proportionality plays an important part in determining whether or not a measure is appropriate. Hence, the cost-effectiveness of a measure can play an important part in the assessment.[9] Lastly, although GDPR prescribes that the controller must determine the risk, it does not provide procedural steps on how to perform this assessment.[10] However, many DPA's, as well as the EDPB, provide guidelines for controllers to rely on.
Demonstrating and updating
Controllers not only have to ensure compliance, they also have to demonstrate it by providing evidence. This comprehensiveness of this evidence must be proportionate to the risk of the processing operation: the more risky a processing operation is, the more comprehensive the evidence must be. Conversely, with a low risk, a witness statement might already suffice, instead of physical documentation. Like other elements of the provision, this requirement is further specified in other provisions, like the maintaining of records of processing activities in Article 30(1), or the documenting of any personal data breaches in Article 33(5) GDPR. The fact that de controller has to demonstrate compliance, however, does not necessarily imply that the burden of proof lies with the controller in case of a claim under civil law. If a data subject asserts a claim for damages under Article 82 GDPR, then they have to prove the violation of data protection law, their damages, and the causality.[11]
As the last sentence of the first paragraph makes clear, the controller must continuously be able to demonstrate compliance, by reviewing implemented measures and updating them where necessary. Hence, like other elements, this requirement is closely related to other provisions. In this case, this requirement is closely related to the controller's obligations laid down in Article 32(1)(d) GDPR. It is not specified how frequent the updating process must be, apart from "if necessary". Again, it is up to the controller to make sure that it keeps track whether their processing operations are still compliant.[12]
(2) Data Protection Policies
Although Hartung claims that this paragraph is puzzling to understand,[13], Martini states that this paragraph expands on paragraph 1 by specifying the conditions under which the measures, listed in paragraph 1, must also include data protection measures. By singling out data protection measures, Martini further considers that these kind of measures are specific measures within the more "general" organisational measures, and that the measures listed in paragraph 2 are primarily oriented towards procedures, rather than result. These policies are thus not merely legal requirements, but concrete procedural instructions to follow, in order to avoid any violation with the GDPR. The clear instructions that should follow from such policies are linked with Article 39(1)(b) GDPR, which states that the tasks of the DPO to monitor compliance with the data protection policies include awareness-training and the training of staff. Again, the principle of proportionality plays a big role: one can expect a large company with many different processing operations to have more worked out, specific instructions, than a small company with few processing operations.[14]
(3) Codes of Conduct as Evidence of Compliance
The last paragraph of this provision provides the controller more certainty regarding the question whether or not it is sufficiently able to demonstrate compliance with its obligations. The controller can show that it adhered to approved codes of conduct as referred to in Article 40 GDPR, approved certification mechanisms as referred to in Article 42 GDPR, or, according to Recital 77: guidelines by the EDPB or advice by the data protection officer. Nevertheless, it follows from the word "element" that such adherence only supports the assumption that the controller is compliant, and does not prove it.[15]
Decisions
→ You can find all related decisions in Category:Article 24 GDPR
References
- ↑ Hartung, in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 1 (C.H.Beck 2020).
- ↑ Hartung, in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 11 (C.H.Beck 2020).
- ↑ Hartung, in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 11 (C.H.Beck 2020) referring to Plath, in Plath Art. 24, para 2.
- ↑ Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 24 GDPR, p. 557-561 (Oxford University Press 2020).
- ↑ Martini, in Paal & Pauly, DS-GVO Art. 24, paras 20a-22 (C.H.Beck 2021).
- ↑ Hartung, in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 11 (C.H.Beck 2020) referring to Plath, in Plath Art. 24, para 17.
- ↑ Hartung, in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 14 (C.H.Beck 2020).
- ↑ Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 24 GDPR, p. 564 (Oxford University Press 2020).
- ↑ Martini, in Paal & Pauly, DS-GVO Art. 24, para 24 (C.H.Beck 2021).
- ↑ Martini, in Paal & Pauly, DS-GVO Art. 24, para 36 (C.H.Beck 2021).
- ↑ Martini, in Paal & Pauly, DS-GVO Art. 24, paras 25-25d (C.H.Beck 2021).
- ↑ Martini, in Paal & Pauly, DS-GVO Art. 24, paras 37a-38 (C.H.Beck 2021).
- ↑ Hartung, in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 21 (C.H.Beck 2020).
- ↑ Martini, in Paal & Pauly, DS-GVO Art. 24, paras 39-42 (C.H.Beck 2021).
- ↑ Hartung, in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 20 (C.H.Beck 2020).