Article 24 GDPR

From GDPRhub
Article 24 - Responsibility of the controller
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 24 - Responsibility of the controller


1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.

Relevant Recitals

Recital 74: Controller Responsibility and Liability
The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.

Recital 75: Risks to the Rights and Freedoms of Natural Persons
The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

Recital 76: Evaluating the Risks to Natural Persons
The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.

Recital 77: Guidance on Evaluating Risks
Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer. The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.

Recital 78: Appropriate Technical and Organisational Measures
The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

Commentary on Article 24

This provision opens Chapter 4’s Section 1, which is dedicated to the “General obligations” of the controller and processor. It provides an overview of the controller’s essential responsibility as the first addressee for compliance with the provisions of the GDPR.[1] Since it provides an overview, the actual obligations that follow from the controller’s responsibility are described more specifically in other provisions, such as Article 25 GDPR or Article 32 GDPR.[2] However, according to Plath, this does not mean that the provision is merely declaratory: it also establishes directly applicable obligations.[3]

Although the provision speaks of “responsibility”, it imposes accountability on the controller, next to Article 5(2) GDPR.[4] According to Docksey, this principle is one of the GDPR’s most innovative aspects,[5] since meaning has developed from ‘passive’ responsibility to a concept of ‘proactive’ and demonstrable compliance.[6] Hence, the controller’s processing operations must be known (“taking into account”), controlled (through “appropriate technical and organisational measures”) and regularly reviewed (“updated where necessary”), so that controller must do so to “ensure” compliance with the Regulation.

(1) Appropriate Technical and Organisational Measures

The controller must implement effective technical and organisational measures to ensure compliance with the entire GDPR, including respect of data protection principles (Article 5 GDPR), data subject’s rights (amongst others, Articles 12 to 22 GDPR) and controller’s obligations.

The term "measure" must be understood broadly since it refers to all actions that are appropriate in serving the purpose of achieving compliance of the processing with the GDPR.[7] As the provision explains, this can be done through technical and organisational means. Technical measures are measures of which its technical effect lies in the functionality of the technique, for example by securing the access (password protection) or transfer (encryption).[8] Of course, these technical measures would not mean a lot if there were no organisational measures that secure compliance with these technical measures. One can think of the implementation of sampling routines, the duty to log activities, or training of employees by the DPO.[9] Other examples of "measures" are given in Recital 78, which lists pseudonymisation, data minimisation, and "transparency with regard to the functions and processing of personal data". It must be noted, however, that it is not always clear to distinct between technical and organisational measures, since these can overlap. However, as Hartung mentions, this is not really a problem since the GDPR does not differentiate in terms of legal requirements.[10]

To know which measures should be implemented, the controller must select the most appropriate ones among the different options available. Hence, this is an example of a risk-based approach that has been implemented throughout the GDPR. This risk-based approach focuses on two aspects: "likelihood" and "severity". Whereas Article 17 of the Data Protection Directive (DPD) merely mentioned the latter element, the controller must now also consider the likelihood.[11]

The appropriateness of a measure shall be defined considering the “nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons”. However, the provision does not provide clear instructions as to how these elements interact. It follows that EDPB’s position and DPAs’ decisions will play an essential role in defining what was appropriate and what was not.

Demonstrating

Controllers not only have to “ensure” compliance they also have to “demonstrate” it. Since the term “compliance” includes all the GDPR provisions, the burden of proof will cover the very same items.

The burden of proof is not limited to the mere keeping of the typical documents (registry of the processing activities, data protection impact assessment, where required). If the controller has to demonstrate compliance with the GDPR, then many other aspects should be considered.

For instance, Article 5(1)(c) GDPR establishes the data minimisation principle under which processing shall be limited to “what is necessary in relation to the purposes for which they are processed”. Therefore, the controller should demonstrate why specific processing needed a certain amount of information and not any less. Again, if the processing is based on consent, controllers must prove whether the user’s decision was validly obtained and justify every consent requirement.

(2) Data Protection Policies

This paragraph expands on paragraph 1 since it emphasises measures that are primarily oriented towards procedures, rather than result.[12]

(3) Codes of Conduct as Evidence of Compliance

You can help us fill this section!

Decisions

→ You can find all related decisions in Category:Article 24 GDPR

References

  1. Hartung, in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 1 (C.H.Beck 2020).
  2. Hartung, in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 11 (C.H.Beck 2020).
  3. Hartung, in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 11 (C.H.Beck 2020) referring to Plath, in Plath Art. 24, para 2.
  4. Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 24 GDPR, p. 557 (Oxford University Press 2020).
  5. Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 24 GDPR, p. 557 (Oxford University Press 2020).
  6. Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 24 GDPR, p. 561 (Oxford University Press 2020).
  7. Martini, in Paal & Pauly, DS-GVO Art. 24, para 20a (C.H.Beck 2021).
  8. Martini, in Paal & Pauly, DS-GVO Art. 24, para 21 (C.H.Beck 2021).
  9. Martini, in Paal & Pauly, DS-GVO Art. 24, para 22 (C.H.Beck 2021).
  10. Hartung, in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 11 (C.H.Beck 2020) referring to Plath, in Plath Art. 24, para 17.
  11. Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 24 GDPR, p. 564 (Oxford University Press 2020).
  12. Martini, in Paal & Pauly, DS-GVO Art. 24, para 39 (C.H.Beck 2021).