Article 24 GDPR: Difference between revisions

From GDPRhub
(addition to "demonstrate gdpr compliance")
Line 236: Line 236:
Pursuant to Article 24(1) the controller must be able to demonstrate the compliance with the GDPR. This provision therefore widens the accountability obligation stipulated in [[Article 5 GDPR|Article 5(2) GDPR]] which obliges the controller to be able to demonstrate compliance with the data protection principles set out in [[Article 5 GDPR|Article 5(1) GDPR]].<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 24 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition) with further references.</ref>  
Pursuant to Article 24(1) the controller must be able to demonstrate the compliance with the GDPR. This provision therefore widens the accountability obligation stipulated in [[Article 5 GDPR|Article 5(2) GDPR]] which obliges the controller to be able to demonstrate compliance with the data protection principles set out in [[Article 5 GDPR|Article 5(1) GDPR]].<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 24 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition) with further references.</ref>  


The ability to demonstrate compliance with the GDPR must be ensured by appropriate technical and organisational measures. The comprehensiveness of the necessary evidence must be proportionate to the risk posed by the processing operation. The riskier a processing operation, the more comprehensive the accompanying evidence must be.<ref>''Martini'', in Paal, Pauly, DS-GVO, Article 24, margin number 25a (C.H. Beck 2021, 3rd Edition).</ref>  
The ability to demonstrate compliance with the GDPR must be ensured by appropriate technical and organisational measures. The comprehensiveness of the necessary evidence must be proportionate to the risk posed by the processing operation. The riskier a processing operation, the more comprehensive the accompanying evidence must be.<ref>''Martini'', in Paal, Pauly, DS-GVO, Article 24, margin number 25a (C.H. Beck 2021, 3rd Edition).</ref> The controller can use a wide variety of ways in order to demonstrate that it implemented appropriate technical and organisational measures that ensure compliance with the GDPR. In particular, the controller can refer to data protection policies (Article 24(2)) or approved codes of conduct or certification mechanisms (Article 24(3)). Recitals 77 adds EDPB guidelines and indications provided by the data protection officer.


Certain provisions of the GDPR provide for specific obligations to demonstrate compliance (e.g. maintaining a record of processing activities under [[Article 30 GDPR|Article 30(1)]] GDPR; documenting personal data breaches under [[Article 33 GDPR|Article 33(5) GDPR]]).<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 24 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition) with further references.</ref>  
Certain provisions of the GDPR provide for specific obligations to demonstrate compliance (e.g. maintaining a record of processing activities under [[Article 30 GDPR|Article 30(1)]] GDPR; documenting personal data breaches under [[Article 33 GDPR|Article 33(5) GDPR]]).<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 24 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition) with further references.</ref>  

Revision as of 14:20, 17 April 2024

Article 24 - Responsibility of the controller
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 24 - Responsibility of the controller

1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.

Relevant Recitals

Recital 74: Controller Responsibility and Liability
The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.

Recital 75: Risks to the Rights and Freedoms of Natural Persons
The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

Recital 76: Evaluating the Risks to Natural Persons
The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.

Recital 77: Guidance on Evaluating Risks
Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer. The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.

Recital 78: Appropriate Technical and Organisational Measures
The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

Commentary

This provision opens Section 1 of Chapter IV, which is dedicated to the “General obligations” of the controller and processor. It stipulates the the abstract obligation of the controller to ensure and demonstrate GDPR compliance. This provision is therefore closely connected to the numerous more specific obligations of the controller, such as Article 5(2) GDPR, Article 25 GDPR or Article 32 GDPR.[1] This provision assigns a proactive role to the controller who has to ensure compliance with the GDPR at all stages of processing.[2] To archive this goal, the controller uses technical and organisational measures that are appropriate to the risk connected to the processing (risk based approach).[3]

The controller is not only responsible for the actual compliance with the GDPR, it must also be able to demonstrate compliance. The controller can use codes of conduct or approved certification mechanisms as an element of such demonstration.

Article 24 GDPR is the only provision in the section on the general obligations which cannot be directly penalised with a fine under Article 83(4)(a) or Article 83(5) GDPR.[4]

EDPB Guidelines: For this Article there are the Guidelines 07/2020 on the concepts of controller and processor in the GDPR

(1) Appropriate technical and organisational measures

The controller must implement appropriate technical and organisational measures to ensure compliance of its processing activities with the GDPR. But the mere compliance is insufficient – the controller must also be able to demonstrate that the processing is performed in accordance with the GDPR.

Example: It is not sufficient that a controller manages to answer to access requests in accordance with Article 12 GDPR and Article 15 GDPR. The controller must also be able to demonstrate that it implemented appropriate technical and organisational measures that ensure such compliance with the data subject's right to access.

The technical and organisational measures implemented by the controller are subject to change and must be reviewed and updated regularly in order to ensure the appropriateness of those measures.

The controller

This provision addresses the controller (see commentary on Article 4(7) GDPR) as the primary addressee for GDPR compliance. Other entities, such as data processors, are not subject of Article 24 and their responsibility is limited to specific aspects regulated separately. However, even a limited responsibility of a processor does not affect the overall accountability and liability of the controller.[5]

Taking into account...

To decide which technical and organisational measures to implement, the controller must perform a comprehensive assessment of processing activities, analyse potential consequences and causes of harm, and consider the specific criteria and examples provided in the GDPR to effectively evaluate and mitigate risks associated with data processing. The provision lists several elements that the controller must take into account when assessing the risk.[6]

Nature, scope, context and purposes

The controller must consider the nature, scope, context and purposes of the processing.[7]

The nature of the processing refers in particular to the type or processing (e.g. collection, recording, storing, etc.) as well as to the categories of data processed (e.g. whether special categories of personal data are processed).[8]

The scope of the processing refers to the quantity of the data processing resulting from the amount of affected data subjects the amount of processed data, duration and geographical extend of the data processing.[8]

The context of the processing refers to the specific circumstances such as the modalities and technical implementation, the type and method of data collection and the legal basis in accordance with Article 6 GDPR.[8]

The controller also has to consider the purposes of the processing. See the commentary on Article 5(1)(b) GDPR for more details on the purpose.

Risks of varying likelihood and severity for rights and freedoms of natural persons

Second, the controller must assess the severity of the risks for the rights and freedoms of natural persons, as well as the likelihood that these materialise. Recital 75 gives useful guidance to determine what this risk actually entails. Besides clarifying that the damage can be physical, material, or immaterial, it lists a range of examples of damages, such as discrimination, identity theft or fraud.

However, Recital 75 also mentions "loss of confidentiality of personal data protected by professional secrecy". Moreover, it is important to note that, although this is not mentioned in the provision, it follows from Article 52(1) of the Charter of Fundamental Rights that the principle of proportionality plays an important role in determining whether a measure is appropriate. Thus, the cost-effectiveness of a measure can play an important part in the assessment. For instance, processing that involves the publication of data can be considered risky. The scale of processing, particularly when it involves large volumes of personal data or profiling, can introduce specific risks if those data are interconnected with other available somewhere else, and even if individual data points seem insignificant. Special circumstances may arise when processing sensitive data, retaining data for extended periods, or transferring data to different contexts. Risky purposes are often associated with social dependency relationships and processing linked to fundamental rights, among other factors.[9]

Additionally, there may be causes of further harm resulting from subsequent data processing that extend beyond the infringement of personal rights. These causes can contribute to increased risks, although they may not be specifically defined. Examples include limitations on data subject rights not provided by law, processing of sensitive data as defined in Articles 9 and 10, creation of individual profiles, recording of individuals requiring special protection (e.g., children), or unique processing activities. These factors can be utilized to influence decisions, engage in discriminatory practices, differentiate treatment, or deny access to services. High-risk processing operations are further detailed in Recitals 89 and 91, particularly highlighting the use of new technologies.[10]

Shall implement appropriate measures to ensure GDPR compliance

The term "measure" must be understood broadly since it refers to all actions that are appropriate to make the processing compliant with the GDPR. As the provision explains, this can be done through technical and organisational means. However, the GDPR does not define what is a technical measure, it merely gives examples,[11] such as securing the access (password protection) or transfer (encryption). Of course, these technical measures would be ineffective if no organisational measures that secure compliance with them are implemented (e.g. data audits, activity logs, internal training of employees by the DPO).[12] Other examples of "measures" are given in Recital 78, which lists pseudonymisation, data minimisation, and "transparency with regard to the functions and processing of personal data". In practice, the distinction between technical and organisational measures is not always clear as these can overlap. However, as Hartung observes, this is not really a problem because the GDPR does not differentiate between the two in terms of legal requirements.[13]

And to demonstrate GDPR compliance

Pursuant to Article 24(1) the controller must be able to demonstrate the compliance with the GDPR. This provision therefore widens the accountability obligation stipulated in Article 5(2) GDPR which obliges the controller to be able to demonstrate compliance with the data protection principles set out in Article 5(1) GDPR.[14]

The ability to demonstrate compliance with the GDPR must be ensured by appropriate technical and organisational measures. The comprehensiveness of the necessary evidence must be proportionate to the risk posed by the processing operation. The riskier a processing operation, the more comprehensive the accompanying evidence must be.[15] The controller can use a wide variety of ways in order to demonstrate that it implemented appropriate technical and organisational measures that ensure compliance with the GDPR. In particular, the controller can refer to data protection policies (Article 24(2)) or approved codes of conduct or certification mechanisms (Article 24(3)). Recitals 77 adds EDPB guidelines and indications provided by the data protection officer.

Certain provisions of the GDPR provide for specific obligations to demonstrate compliance (e.g. maintaining a record of processing activities under Article 30(1) GDPR; documenting personal data breaches under Article 33(5) GDPR).[16]

Whether the controller’s obligation to demonstrate compliance, also implies a reversal of the burden of proof when a data subject seeks compensation for damages pursuant to Article 82, is disputed.[17]

Measures must be continuously reviewed and updated

The controller must continuously ensure and demonstrate compliance with the GDPR by consistently reviewing existing measures and updating them.

Beyond the qualifier "where necessary", it is not specified how frequently updates must be carried out. The criterion of necessity does not mean that the controller must only react to concrete changes. Since it is the controller’s responsibility to ensure that their processing operations are compliant at any time, the controller has to review its measures regularly. However, significant changes in the processing activity or the legal environment will certainly trigger the obligation to review the technical and organisational measures.[18]

Example: A controller running an online-shop receives a complaint from a data subject claiming that one of his online-forms violates the principle of data minimization (Article 5(1)(c) GDPR). Such a complaint could trigger a review of the processing activity.

In course of the review the controller must assess if the current technical and organizational measures, are still appropriate and effective to ensure the compliance with the GDPR and to be able to demonstrate the compliance. If not, the controller has to implement additional technical and organizational measures or change the existing ones in order to bring the processing activity in compliance with the GDPR.[19]

Particular attention should be paid to the advice of the data protection officer in accordance with Article 39(1) GDPR, who is tasked with the monitoring of the controller’s compliance with data protection regulations (without decrementing the controller’s responsibility to ensure compliance).  

(2) Data protection policies

Article 24(2) mentions a specific organisational measure, namely the implementation of data protection policies – internal guidelines with binding effect in the controller’s organization. Such policies regularly include concrete procedural instructions and oblige the controller’s employees to act in a specific way to ensure compliance with the GDPR.[20] If the controller appointed a data protection officer, this person is also tasked with the monitoring of the controller’s data protection policies (see Article 39(1)(b) GDPR)

Example: Most controllers have a general data protection policy covering topics like the destruction of sensitive documents, the usage of IT-infrastructure and deletion periods as well as more specific data protection policies like specific internal rules regarding the compliance with data protection in the product development process or the handling of access requests in accordance with Article 15 GDPR.

The implementation of data protection policies is only mandatory, when it is proportionate to the processing activity. In other words, it is not obligatory to implement a data protection policy for all processing activities. However, for larger organisations or controllers of extensive processing activities the implementation of data protection policies is necessary.[21]

Regardless of the existence of an obligation, an implementation of data protection policies is an important tool in order to demonstrate compliance with the GDPR.

(3) Demonstration through codes of conduct and certifications

Article 24(3) provides for the possibility to refer to the adherence to (i) approved codes of conduct (Article 40 GDPR), (ii) approved certification mechanisms (Article 42 GDPR) in order to indicate compliance with the GDPR. , or (iii) guidelines by the EDPB and advice by the data protection officer (Recital 77 GDPR). Nevertheless, it follows from the word "element" that such self-regulation measures only support the assumption that the controller is compliant, but does not prove it.[22]

Example: A credit information agency adheres to approved codes of conduct when implementing deletion periods for certain data categories, and still violates Article 5(1)(a) and Article 6(1) GDPR because the duration of those deletion periods are unjustified.[23]

However, this provision does not limit the possibility to demonstrate compliance via other means (see section on “And to demonstrate GDPR compliance” above).

Decisions

→ You can find all related decisions in Category:Article 24 GDPR

References

  1. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 11 (C.H. Beck 2024, 4th Edition).
  2. Docksey, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 24 GDPR, p. 557 (Oxford University Press 2020).
  3. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 11 (C.H. Beck 2024, 4th Edition).
  4. However, this does not mean that the provision is merely declaratory: it also establishes directly applicable obligations. Plath, in Plath DSGVO BDSG, Article 24 GDPR, margin number 2 (Ottoschmidt 2018, 3rd Edition).
  5. Petri, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 24 GDPR, margin number 9 (C.H. Beck 2019).
  6. Although GDPR prescribes that the controller must determine the risk, it does not prescribe procedural steps on how to perform this assessment. Hence, this assessment is left to the controller. In this regard, Martini points to Article 35(4) GDPR, which states that “The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment”, and notes that such a list can provide guidance to controllers since it shows which processing operations constitute a high risk. However, he also argues that “informative content is limited to whether there is a high or normal risk and whether a data protection impact assessment is therefore indicated (Art. 35(1)) and the supervisory authority must be consulted (Art. 36(1)) before the controller takes concrete measures”. Hence, such a list is merely an indication of risk and does not provide the controller with certainty as to which measures are suitable and effective in a specific case. See, Martini, in Paal, Pauly, DS-GVO, Article 24, margin number 36-36b (C.H. Beck 2021, 3rd Edition). Moreover, the EDPB could also provide useful guidance. Lang notes that the Board may issue guidelines pursuant to Article 70(1)(e) GDPR, and that this applies in particular to the determination of risk that is related to processing (recital 77 GDPR). Lang, in Taeger, Gabel, DSGVO BDSG, Article 24, margin number 62 (C.H. Beck 2022, 4th Edition).
  7. The attribution of the various conditions to these criteria is not practised consistently. 
  8. 8.0 8.1 8.2 add citations (Knyrim)
  9. Petri, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 24 GDPR, margin number 12 (C.H. Beck 2019).
  10. Petri, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 24 GDPR, margin number 13-14 (C.H. Beck 2019).
  11. Lang, in Taeger, Gabel, DSGVO BDSG, Article 24, margin numbers 23-24 (C.H. Beck 2022, 4th Edition).
  12. Martini, in Paal, Pauly, DS-GVO, Article 24, margin numbers 21-22 (C.H. Beck 2021, 3rd Edition).
  13. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 17 (C.H. Beck 2020, 3rd Edition).
  14. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition) with further references.
  15. Martini, in Paal, Pauly, DS-GVO, Article 24, margin number 25a (C.H. Beck 2021, 3rd Edition).
  16. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition) with further references.
  17. instead of many: Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition).
  18. Dumortier, Gryffroy, in Spiecker gen. Döhmann, Papakonstantinou, Hornung, De Hert, General Data Protection Regulation, Article 24 marginal number 38 (C.H.Beck 2023).
  19. Dumortier, Gryffroy, in Spiecker gen. Döhmann, Papakonstantinou, Hornung, De Hert, General Data Protection Regulation, Article 24 marginal number 43 (C.H.Beck 2023)
  20. Knyrim Art 24 marginal number 31.
  21. Jos Dumortier, Pieter Gryffroy , Art 24  marginal number 24.
  22. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 23, margin number 23 (C.H. Beck 2024, 4rd Edition).
  23. CJEU, Joined Cases C‑26/22 and C‑64/22, SCHUFA Holding AG, 07 December 2023, margin number 109 (available here)