Article 24 GDPR: Difference between revisions

Revision as of 15:46, 25 April 2022

← Article 24 - Responsibility of the controller →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 24 - Responsibility of the controller

1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.

Relevant Recitals

Recital 74: Controller Responsibility and Liability

The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.

Recital 75: Risks to the Rights and Freedoms of Natural Persons

The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

Recital 76: Evaluating the Risks to Natural Persons

The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.

Recital 77: Guidance on Evaluating Risks

Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer. The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.

Recital 78: Appropriate Technical and Organisational Measures

The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

Commentary

This provision opens Section 1 of Chapter IV, which is dedicated to the “General obligations” of the controller and processor. It provides an overview of the controller’s responsibilities as the first addressee for compliance with the provisions of the GDPR. The actual obligations that follow from this position are described more specifically in other provisions, such as Article 25 GDPR or Article 32 GDPR.^[1] However, according to Plath, this does not mean that the provision is merely declaratory: it also establishes directly applicable obligations.^[2] Nevertheless, Article 24 GDPR is the only provision in this section which precludes the imposition of fines under Article 83(4)(a) or Article 83(5) GDPR. As Hartung notes, this supports the view that it is intended as a general provision that provides an overview of the controller’s responsibilities.^[3] Although the provision refers to “responsibility”, it builds on Article 5(2) GDPR by imposing accountability on the controller. According to Docksey, this shift from ‘passive’ responsibility to a concept of ‘proactive’ and demonstrable compliance is one of the GDPR’s most innovative aspects.^[4] Hence, the controller’s processing operations must be known (“taking into account”), controlled (through “appropriate technical and organisational measures”) and regularly reviewed (“updated where necessary”), so that the controller can “ensure” compliance with the Regulation.

(1) Appropriate Technical and Organisational Measures

The controller must implement effective technical and organisational measures to ensure compliance with the entire GDPR, including data protection principles (Article 5 GDPR), data subject rights (amongst others, Articles 12 to 22 GDPR) and controllers’ obligations.

Measures

The term "measure" must be understood broadly since it refers to all actions that are appropriate to make the processing compliant with the GDPR. As the provision explains, this can be done through technical and organisational means. However, the GDPR does not define what is a technical measure, it merely gives examples,^[5] such as securing the access (password protection) or transfer (encryption). Of course, these technical measures would be ineffective if no organisational measures that secure compliance with them are implemented (e.g. data audits, activity logs, internal training of employees by the DPO).^[6] Other examples of "measures" are given in Recital 78, which lists pseudonymisation, data minimisation, and "transparency with regard to the functions and processing of personal data". In practice, the distinction between technical and organisational measures is not always clear as these can overlap. However, as Hartung observes, this is not really a problem because the GDPR does not differentiate between the two in terms of legal requirements.^[7]

Risk-based Approach

To decide which measures to implement, the controller must perform a risk assessment and select the most appropriate ones. The provision lists several elements that the controller must take into account when assessing the risk. First, it must consider the nature of the processing (manual or automated), the scope of the processing (amount of data subjects affected, amount of data collected, bulk or individual processing, sensitivity of the data), the context of the processing (how many parties are involved, which systems are used, etc.), and the purposes of the processing.^[8] Second, the controller must assess the severity of the risks for the rights and freedoms of natural persons, as well as the likelihood that these materialise. This obligation to consider the likelihood of the materialisation expands on Article 17 of the Data Protection Directive (DPD), which merely mentioned the consideration of risks.^[9] Recital 75 gives useful guidance to determine what this risk actually entails. Besides clarifying that the damage can be physical, material, or immaterial, it lists a range of examples of damages, such as discrimination, identity theft or fraud. However, it also mentions "loss of confidentiality of personal data protected by professional secrecy". Moreover, it is important to note that, although this is not mentioned in the provision, it follows from Article 52(1) of the Charter of Fundamental Rights that the principle of proportionality plays an important role in determining whether a measure is appropriate. Thus, the cost-effectiveness of a measure can play an important part in the assessment.This provision opens Section 1 of Chapter IV, which is dedicated to the “General obligations” of the controller and processor. It provides an overview of the controller’s responsibilities as the first addressee for compliance with the provisions of the GDPR.^[10] Lastly, although GDPR prescribes that the controller must determine the risk, it does not prescribe procedural steps on how to perform this assessment. Hence, this assessment is left to the controller. In this regard, Martini points to Article 35(4) GDPR, which states that “The supervisory auThis provision opens Section 1 of Chapter IV, which is dedicated to the “General obligations” of the controller and processor. It provides an overview of the controller’s responsibilities as the first addressee for compliance with the provisions of the GDPR.thority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment”, and notes that such a list can provide guidance to controllers since it shows which processing operations constitute a high risk. However, he also stipulates that “informative content is limited to whether there is a high or normal risk and whether a data protection impact assessment is therefore indicated (Art. 35(1)) and the supervisory authority must be consulted (Art. 36(1)) before the controller takes concrete measures”. Hence, such a list is merely an indication of risk and does not provide the controller with certainty as to which measures are suitable and effective in a specific case.^[11] Moreover, the EDPB could also provide useful guidance. Lang notes that the Board may issue guidelines pursuant to Article 70(1)(e) GDPR, and that this applies in particular to the determination of risk that is related to processing (recital 77 GDPR).^[12]

Demonstrating Compliance and Updating Data Processing Measures

Controllers not only have to ensure compliance, but have to demonstrate it through evidence. The comprehensiveness of this evidence must be proportionate to the risk posed by the processing operation. The more risky a processing operation, the more comprehensive the accompanying evidence must be.^[13] Conversely, where the risk is lower a witness statement rather than physical documentation might be sufficient. Like other elements of the provision, this requirement is elaborated on in other GDPR articles (e.g. maintaining a record of processing activities under Article 30(1) GDPR; documenting personal data breaches under Article 33(5) GDPR). Whether the controller’s obligation to demonstrate compliance, also implies a reversal of the burden of proof when a data subject seeks compensation for damages pursuant to Article 82, is uncertain. Some authors, such as Bergt and Quaas, argue in favour of this point of view,^[14] as does the Regional Labor Court of Baden-Württemberg.^[15] Others, however, disagree with this interpretation. According to Martini, the controller’s obligation to demonstrate compliance does not necessarily imply that the burden of proof lies with it where a claim is brought under civil law. If a data subject asserts a claim for damages under Article 82 GDPR, it is still up to them to prove the violation of data protection law, damage, and causality.^[16] The controller must continuously be able to demonstrate compliance, where necessary by reviewing existing measures and updating them. This requirement is closely related to the controller's obligations laid down in Article 32(1)(d) GDPR. Beyond the qualifier "where necessary", it is not specified how frequently updates must be carried out. Again, it is the controller’s responsibility to ensure that their processing operations are still compliant.^[17]

(2) Data Protection Policies

Although Hartung claims that this paragraph is obscure,^[18] Martini argues it simply expands on Article 24(1) GDPR by specifying the conditions under which the technical and organisational measures must also include data protection measures. By singling these out, Martini contends that they constitute specific measures within the "general" organisational measures, and that paragraph 2 simply refers to procedural measures. These policies are thus not merely legal requirements, but concrete procedural instructions to follow to avoid any violation of the GDPR. The instructions that should follow from such policies are linked to Article 39(1)(b) GDPR, which states that the DPO’s duty to monitor compliance with the data protection policies. Again, the principle of proportionality plays a big role. A large company carrying out many different processing operations should have more comprehensive and specific policies than a small company with few processing operations.^[19]

(3) Self-Regulation Measures as Evidence of Compliance

Article 24(3) provides the controller with more certainty regarding the question whether it is sufficiently able to demonstrate compliance with its obligations. The controller can show that it adhered to (i) approved codes of conduct (Article 40 GDPR), (ii) approved certification mechanisms (Article 42 GDPR), or (iii) guidelines by the EDPB and advice by the data protection officer (Recital 77 GDPR). Nevertheless, it follows from the word "element" that such self-regulation measures only support the assumption that the controller is compliant, but does not prove it.^[20]

Decisions

→ You can find all related decisions in Category:Article 24 GDPR

References

↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 11 (C.H. Beck 2020, 3rd Edition).
↑ Plath, in Plath DSGVO BDSG, Article 24 GDPR, margin number 2 (Ottoschmidt 2018, 3rd Edition).
↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 24 (C.H. Beck 2020, 3rd Edition).
↑ Docksey, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 24 GDPR, p. 557 (Oxford University Press 2020).
↑ Lang, in Taeger, Gabel, DSGVO BDSG, Article 24, margin numbers 23-24 (C.H. Beck 2022, 4th Edition).
↑ Martini, in Paal, Pauly, DS-GVO, Article 24, margin numbers 21-22 (C.H. Beck 2021, 3rd Edition).
↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 17 (C.H. Beck 2020, 3rd Edition).
↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 14 (C.H. Beck 2020, 3rd Edition).
↑ Docksey, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 24 GDPR, p. 564 (Oxford University Press 2020).
↑ Martini, in Paal, Pauly, DS-GVO, Article 24, margin number 24 (C.H. Beck 2021, 3rd Edition).
↑ Martini, in Paal, Pauly, DS-GVO, Article 24, margin number 36-36b (C.H. Beck 2021, 3rd Edition).
↑ Lang, in Taeger, Gabel, DSGVO BDSG, Article 24, margin number 62 (C.H. Beck 2022, 4th Edition).
↑ Martini, in Paal, Pauly, DS-GVO, Article 24, margin number 25a (C.H. Beck 2021, 3rd Edition).
↑ For example, Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin numbers 46, 48 (C.H. Beck 2020, 3rd Edition); Quaas, in: Wolff, Brink, BeckOK Datenschutzrecht, Article 82 GDPR, margin number 16 (C.H. Beck 2021, 39th Edition).
↑ LAG Baden-Württemberg, 25 February 2021, 17 Sa 37/20, margin number 61 (available here).
↑ Martini, in Paal, Pauly, DS-GVO, Article 24, margin number 25a (C.H. Beck 2021, 3rd Edition). See also Moos, Schefzig, in Taeger, Gabel, DSGVO BDSG, Article 24, margin number 62 (C.H. Beck 2022, 4th Edition).
↑ Martini, in Paal, Pauly, DS-GVO, Article 24, margin numbers 37a-38 (C.H. Beck 2021, 3rd Edition).
↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 21 (C.H. Beck 2020, 3rd Edition).
↑ Martini, in Paal, Pauly, DS-GVO, Article 24, margin numbers 39-42 (C.H. Beck 2021, 3rd Edition).
↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 23 (C.H. Beck 2020, 3rd Edition).

[1] Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 11 (C.H. Beck 2020, 3rd Edition).

[2] Plath, in Plath DSGVO BDSG, Article 24 GDPR, margin number 2 (Ottoschmidt 2018, 3rd Edition).

[3] Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 24 (C.H. Beck 2020, 3rd Edition).

[4] Docksey, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 24 GDPR, p. 557 (Oxford University Press 2020).

[5] Lang, in Taeger, Gabel, DSGVO BDSG, Article 24, margin numbers 23-24 (C.H. Beck 2022, 4th Edition).

[6] Martini, in Paal, Pauly, DS-GVO, Article 24, margin numbers 21-22 (C.H. Beck 2021, 3rd Edition).

[7] Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 17 (C.H. Beck 2020, 3rd Edition).

[8] Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 14 (C.H. Beck 2020, 3rd Edition).

[9] Docksey, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 24 GDPR, p. 564 (Oxford University Press 2020).

[10] Martini, in Paal, Pauly, DS-GVO, Article 24, margin number 24 (C.H. Beck 2021, 3rd Edition).

[11] Martini, in Paal, Pauly, DS-GVO, Article 24, margin number 36-36b (C.H. Beck 2021, 3rd Edition).

[12] Lang, in Taeger, Gabel, DSGVO BDSG, Article 24, margin number 62 (C.H. Beck 2022, 4th Edition).

[13] Martini, in Paal, Pauly, DS-GVO, Article 24, margin number 25a (C.H. Beck 2021, 3rd Edition).

[14] For example, Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin numbers 46, 48 (C.H. Beck 2020, 3rd Edition); Quaas, in: Wolff, Brink, BeckOK Datenschutzrecht, Article 82 GDPR, margin number 16 (C.H. Beck 2021, 39th Edition).

[15] LAG Baden-Württemberg, 25 February 2021, 17 Sa 37/20, margin number 61 (available here).

[16] Martini, in Paal, Pauly, DS-GVO, Article 24, margin number 25a (C.H. Beck 2021, 3rd Edition). See also Moos, Schefzig, in Taeger, Gabel, DSGVO BDSG, Article 24, margin number 62 (C.H. Beck 2022, 4th Edition).

[17] Martini, in Paal, Pauly, DS-GVO, Article 24, margin numbers 37a-38 (C.H. Beck 2021, 3rd Edition).

[18] Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 21 (C.H. Beck 2020, 3rd Edition).

[19] Martini, in Paal, Pauly, DS-GVO, Article 24, margin numbers 39-42 (C.H. Beck 2021, 3rd Edition).

[20] Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 23 (C.H. Beck 2020, 3rd Edition).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

@@ Line 196: / Line 196: @@
 {{Recital/74 GDPR}}{{Recital/75 GDPR}}{{Recital/76 GDPR}}{{Recital/77 GDPR}}{{Recital/78 GDPR}}
-==Commentary on Article 24==
+==Commentary==
-This provision opens Chapter 4’s Section 1, which is dedicated to the “''General obligations''” of the controller and processor. It provides an overview of the controller’s essential responsibility as the first addressee for compliance with the provisions of the GDPR.<ref>''Hartung'', in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 1 (C.H.Beck 2020).</ref> Since it provides an overview, the actual obligations that follow from the controller’s responsibility are described more specifically in other provisions, such as [[Article 25 GDPR]] or [[Article 32 GDPR]].<ref>''Hartung'', in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 11 (C.H.Beck 2020).</ref> However, according to ''Plath'', this does not mean that the provision is merely declaratory: it also establishes directly applicable obligations.<ref>''Hartung'', in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 11 (C.H.Beck 2020) referring to ''Plath,'' in Plath Art. 24, para 2.</ref> Nevertheless, Article 24 is the only provision in this section, where a violation cannot be sanctioned with a fine under [[Article 83 GDPR#4a|Article 83(4)(a)]] or [[Article 83 GDPR#5|Article 83(5) GDPR]]. As ''Hartung'' notes, this supports the view that the provision is intended as a general provision that provides an overview of the controller.
+This provision opens Section 1 of Chapter IV, which is dedicated to the “''General obligations''” of the controller and processor. It provides an overview of the controller’s responsibilities as the first addressee for compliance with the provisions of the GDPR. The actual obligations that follow from this position are described more specifically in other provisions, such as [[Article 25 GDPR]] or [[Article 32 GDPR]].<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 11 (C.H. Beck 2020, 3rd Edition).</ref> However, according to ''Plath'', this does not mean that the provision is merely declaratory: it also establishes directly applicable obligations.<ref>''Plath,'' in Plath DSGVO BDSG, Article 24 GDPR, margin number 2 (Ottoschmidt 2018, 3rd Edition).</ref> Nevertheless, Article 24 GDPR is the only provision in this section which precludes the imposition of fines under [[Article 83 GDPR|Article 83(4)(a)]] or [[Article 83 GDPR|Article 83(5) GDPR]]. As ''Hartung'' notes, this supports the view that it is intended as a general provision that provides an overview of the controller’s responsibilities.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 24 (C.H. Beck 2020, 3rd Edition).</ref> Although the provision refers to “''responsibility''”, it builds on Article 5(2) GDPR by imposing accountability on the controller. According to ''Docksey'', this shift from ‘passive’ responsibility to a concept of ‘proactive’ and demonstrable compliance is one of the GDPR’s most innovative aspects.<ref>''Docksey'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 24 GDPR, p. 557 (Oxford University Press 2020).</ref> Hence, the controller’s processing operations must be known (“''taking into account''”), controlled (through “''appropriate technical and organisational measures''”) and regularly reviewed (“''updated where necessary''”), so that the controller can “''ensure''” compliance with the Regulation.
-Although the provision speaks of “responsibility”, it imposes accountability on the controller, next to [[Article 5 GDPR#2|Article 5(2) GDPR]]. According to ''Docksey'', this principle is one of the GDPR’s most innovative aspects, since meaning has developed from ‘passive’ responsibility to a concept of ‘proactive’ and demonstrable compliance.<ref>''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 24 GDPR, p. 557-561 (Oxford University Press 2020).</ref> Hence, the controller’s processing operations must be known (“taking into account”), controlled (through “appropriate technical and organisational measures”) and regularly reviewed (“updated where necessary”), so that the controller can “ensure” compliance with the Regulation.
 ===(1) Appropriate Technical and Organisational Measures===
-The controller must implement effective technical and organisational measures to ensure compliance with the entire GDPR, including respect of data protection principles ([[Article 5 GDPR]]), data subject’s rights (amongst others, [[Article 12 GDPR|Articles 12]] to [[Article 22 GDPR|22 GDPR]]) and controller’s obligations.
+The controller must implement effective technical and organisational measures to ensure compliance with the entire GDPR, including data protection principles ([[Article 5 GDPR]]), data subject rights (amongst others, [[Article 12 GDPR|Articles 12]] to [[Article 22 GDPR|22 GDPR]]) and controllers’ obligations.
-==== '''Measures''' ====
-The term "measure" must be understood broadly since it refers to all actions that are appropriate in serving the purpose of achieving compliance of the processing with the GDPR. As the provision explains, this can be done through technical and organisational means. Technical measures are measures of which its technical effect lies in the functionality of the technique, for example by securing the access (password protection) or transfer (encryption). Of course, these technical measures would not mean a lot if there were no organisational measures that secure compliance with these technical measures. One can think of the implementation of sampling routines, the duty to log activities, or training of employees by the DPO.<ref>''Martini'', in Paal & Pauly, DS-GVO Art. 24, paras 20a-22 (C.H.Beck 2021). </ref> Other examples of "measures" are given in Recital 78, which lists pseudonymisation, data minimisation, and "''transparency with regard to the functions and processing of personal data''". It must be noted, however, that it is not always clear to distinct between technical and organisational measures, since these can overlap. However, as ''Hartung'' mentions, this is not really a problem since the GDPR does not differentiate in terms of legal requirements.<ref>''Hartung'', in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 11 (C.H.Beck 2020) referring to ''Plath,'' in Plath Art. 24, para 17.</ref>
-==== '''Risk-based approach - elements''' ====
-To know which measures should be implemented, the controller must perform an assessment to select the most appropriate ones among the different options available. The provision lists several elements that the controller must take into account when assessing the risk. First, there are the ''nature'' of the processing (manual or automated), the ''scope'' of the processing (amount of data subjects affected, amount of data collected, bulk or individual processing, sensitivity of the data), the ''context'' of the processing (how many parties are involved, which systems are used, etc.), and the ''purposes'' of the processing.<ref>''Hartung'', in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 14 (C.H.Beck 2020).</ref> Second, the controller must assess the severity of the risk for the rights and freedoms of natural persons, ''and'' the likelihood that this risk materialises. Whereas Article 17 of the Data Protection Directive (DPD) merely mentioned the latter element, the controller must now also consider the likelihood of the materialisation.<ref>''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 24 GDPR, p. 564 (Oxford University Press 2020).</ref>
-Recital 75 gives useful guidance to determine what this risk actually entails. Besides making clear that the damage can be physical, material, or immaterial, it lists a long list of examples of damages, such as discrimination, identity theft or fraud. However, it also mentions "''loss of confidentiality of personal data protected by professional secrecy''". Moreover, it is important to note that, although this is not mentioned in the provision, it follows from Article 52(1) Chapter of Fundamental Rights, that the principle of proportionality plays an important part in determining whether or not a measure is appropriate. Hence, the cost-effectiveness of a measure can play an important part in the assessment.<ref>''Martini'', in Paal & Pauly, DS-GVO Art. 24, para 24 (C.H.Beck 2021).</ref> Lastly, although GDPR prescribes that the controller must determine the risk, it does not provide procedural steps on ''how'' to perform this assessment.<ref>''Martini'', in Paal & Pauly, DS-GVO Art. 24, para 36 (C.H.Beck 2021).</ref> However, many DPA's, as well as the EDPB, provide guidelines for controllers to rely on.
-==== '''Demonstrating and updating''' ====
+==== Measures ====
-Controllers not only have to ensure compliance, they also have to demonstrate it by providing evidence. This comprehensiveness of this evidence must be proportionate to the risk of the processing operation: the more risky a processing operation is, the more comprehensive the evidence must be. Conversely, with a low risk, a witness statement might already suffice, instead of physical documentation. Like other elements of the provision, this requirement is further specified in other provisions, like the maintaining of records of processing activities in [[Article 30 GDPR#1|Article 30(1)]], or the documenting of any personal data breaches in [[Article 33 GDPR#5|Article 33(5) GDPR]]. The fact that de controller has to demonstrate compliance, however, does not necessarily imply that the burden of proof lies with the controller in case of a claim under civil law. If a data subject asserts a claim for damages under [[Article 82 GDPR]], then ''they'' have to prove the violation of data protection law, their damages, and the causality.<ref>''Martini'', in Paal & Pauly, DS-GVO Art. 24, paras 25-25d (C.H.Beck 2021).</ref>
+The term "''measure''" must be understood broadly since it refers to all actions that are appropriate to make the processing compliant with the GDPR. As the provision explains, this can be done through technical and organisational means. However, the GDPR does not define ''what'' is a technical measure, it merely gives examples,<ref>''Lang'', in Taeger, Gabel, DSGVO BDSG, Article 24, margin numbers 23-24 (C.H. Beck 2022, 4th Edition).</ref> such as securing the access (password protection) or transfer (encryption). Of course, these technical measures would be ineffective if no organisational measures that secure compliance with them are implemented (e.g. data audits, activity logs, internal training of employees by the DPO).<ref>''Martini'', in Paal, Pauly, DS-GVO, Article 24, margin numbers 21-22 (C.H. Beck 2021, 3rd Edition).</ref> Other examples of "measures" are given in Recital 78, which lists pseudonymisation, data minimisation, and "''transparency with regard to the functions and processing of personal data''". In practice, the distinction between technical and organisational measures is not always clear as these can overlap. However, as ''Hartung'' observes, this is not really a problem because the GDPR does not differentiate between the two in terms of legal requirements.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 17 (C.H. Beck 2020, 3rd Edition).</ref>
-As the last sentence of the first paragraph makes clear, the controller must continuously be able to demonstrate compliance, by reviewing implemented measures and updating them where necessary. Hence, like other elements, this requirement is closely related to other provisions. In this case, this requirement is closely related to the controller's obligations laid down in [[Article 32 GDPR#1d|Article 32(1)(d) GDPR]]. It is not specified how frequent the updating process must be, apart from "if necessary". Again, it is up to the controller to make sure that it keeps track whether their processing operations are still compliant.<ref>''Martini'', in Paal & Pauly, DS-GVO Art. 24, paras 37a-38 (C.H.Beck 2021).</ref>
+==== Risk-based Approach ====
+To decide which measures to implement, the controller must perform a risk assessment and select the most appropriate ones. The provision lists several elements that the controller must take into account when assessing the risk. First, it must consider the ''nature'' of the processing (manual or automated), the ''scope'' of the processing (amount of data subjects affected, amount of data collected, bulk or individual processing, sensitivity of the data), the ''context'' of the processing (how many parties are involved, which systems are used, etc.), and the ''purposes'' of the processing.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 14 (C.H. Beck 2020, 3rd Edition).</ref> Second, the controller must assess the severity of the risks for the rights and freedoms of natural persons, as well as the likelihood that these materialise. This obligation to consider the likelihood of the materialisation expands on Article 17 of the Data Protection Directive (DPD), which merely mentioned the consideration of risks.<ref>''Docksey'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 24 GDPR, p. 564 (Oxford University Press 2020).</ref>
+Recital 75 gives useful guidance to determine what this risk actually entails. Besides clarifying that the damage can be physical, material, or immaterial, it lists a range of examples of damages, such as discrimination, identity theft or fraud. However, it also mentions "''loss of confidentiality of personal data protected by professional secrecy''". Moreover, it is important to note that, although this is not mentioned in the provision, it follows from Article 52(1) of the Charter of Fundamental Rights that the principle of proportionality plays an important role in determining whether a measure is appropriate. Thus, the cost-effectiveness of a measure can play an important part in the assessment.<span lang="EN-GB">This
+provision opens Section 1 of Chapter IV, which is dedicated to the “''General
+obligations''” of the controller and processor. It provides an overview of
+the controller’s responsibilities as the first addressee for compliance with
+the provisions of the GDPR.</span><ref>''Martini'', in Paal, Pauly, DS-GVO, Article 24, margin number 24 (C.H. Beck 2021, 3rd Edition).</ref> Lastly, although GDPR prescribes that the controller must determine the risk, it does not prescribe procedural steps on how to perform this assessment. Hence, this assessment is left to the controller. In this regard, ''Martini'' points to Article 35(4) GDPR, which states that “''The supervisory au''<span lang="EN-GB">This
+provision opens Section 1 of Chapter IV, which is dedicated to the “''General
+obligations''” of the controller and processor. It provides an overview of
+the controller’s responsibilities as the first addressee for compliance with
+the provisions of the GDPR.</span>''thority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment''”, and notes that such a list can provide guidance to controllers since it shows which processing operations constitute a high risk. However, he also stipulates that “''informative content is limited to whether there is a high or normal risk and whether a data protection impact assessment is therefore indicated (Art. 35(1)) and the supervisory authority must be consulted (Art. 36(1)) before the controller takes concrete measures''”. Hence, such a list is merely an indication of risk and does not provide the controller with certainty as to which measures are suitable and effective in a specific case.<ref>''Martini'', in Paal, Pauly, DS-GVO, Article 24, margin number 36-36b (C.H. Beck 2021, 3rd Edition).</ref> Moreover, the EDPB could also provide useful guidance. ''Lang'' notes that the Board ''may'' issue guidelines pursuant to Article 70(1)(e) GDPR, and that this applies in particular to the determination of risk that is related to processing (recital 77 GDPR).<ref>''Lang'', in Taeger, Gabel, DSGVO BDSG, Article 24, margin number 62 (C.H. Beck 2022, 4th Edition).</ref>
+==== Demonstrating Compliance and Updating Data Processing Measures ====
+Controllers not only have to ensure compliance, but have to demonstrate it through evidence. The comprehensiveness of this evidence must be proportionate to the risk posed by the processing operation. The more risky a processing operation, the more comprehensive the accompanying evidence must be.<ref>''Martini'', in Paal, Pauly, DS-GVO, Article 24, margin number 25a (C.H. Beck 2021, 3rd Edition).</ref> Conversely, where the risk is lower a witness statement rather than physical documentation might be sufficient. Like other elements of the provision, this requirement is elaborated on in other GDPR articles (e.g. maintaining a record of processing activities under [[Article 30 GDPR|Article 30(1)]] GDPR; documenting personal data breaches under [[Article 33 GDPR|Article 33(5) GDPR]]). Whether the controller’s obligation to demonstrate compliance, also implies a reversal of the burden of proof when a data subject seeks compensation for damages pursuant to Article 82, is uncertain. Some authors, such as Bergt and Quaas, argue in favour of this point of view,<ref>For example, Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 24, margin numbers 46, 48 (C.H. Beck 2020, 3rd Edition); ''Quaas'', in: Wolff, Brink, BeckOK Datenschutzrecht, Article 82 GDPR, margin number 16 (C.H. Beck 2021, 39th Edition).</ref> as does the Regional Labor Court of Baden-Württemberg.<ref>LAG Baden-Württemberg, 25 February 2021, 17 Sa 37/20, margin number 61 (available [http://lrbw.juris.de/cgi-bin/laender_rechtsprechung/document.py?Gericht=bw&nr=34234 here]).</ref> Others, however, disagree with this interpretation. According to ''Martini,'' the controller’s obligation to demonstrate compliance does not necessarily imply that the burden of proof lies with it where a claim is brought under civil law. If a data subject asserts a claim for damages under [[Article 82 GDPR]], it is still up to them to prove the violation of data protection law, damage, and causality.<ref>''Martini'', in Paal, Pauly, DS-GVO, Article 24, margin number 25a (C.H. Beck 2021, 3rd Edition). See also ''Moos, Schefzig,'' in Taeger, Gabel, DSGVO BDSG, Article 24, margin number 62 (C.H. Beck 2022, 4th Edition).</ref> The controller must continuously be able to demonstrate compliance, where necessary by reviewing existing measures and updating them. This requirement is closely related to the controller's obligations laid down in [[Article 32 GDPR|Article 32(1)(d) GDPR]]. Beyond the qualifier "''where necessary''", it is not specified how frequently updates must be carried out. Again, it is the controller’s responsibility to ensure that their processing operations are still compliant.<ref>''Martini'', in Paal, Pauly, DS-GVO, Article 24, margin numbers 37a-38 (C.H. Beck 2021, 3rd Edition).</ref>
 === (2) Data Protection Policies ===
-Although ''Hartung'' claims that this paragraph is puzzling to understand,<ref>''Hartung'', in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 21 (C.H.Beck 2020).</ref>, ''Martini'' states that this paragraph expands on paragraph 1 by specifying the conditions under which the measures, listed in paragraph 1, must also include data protection measures. By singling out data protection measures, ''Martini'' further considers that these kind of measures are specific measures within the more "general" organisational measures, and that the measures listed in paragraph 2 are primarily oriented towards procedures, rather than result. These policies are thus not merely legal requirements, but concrete procedural instructions to follow, in order to avoid any violation with the GDPR. The clear instructions that should follow from such policies are linked with [[Article 39 GDPR#1b|Article 39(1)(b) GDPR]], which states that the tasks of the DPO to monitor compliance with the data protection policies include awareness-training and the training of staff. Again, the principle of proportionality plays a big role: one can expect a large company with many different processing operations to have more worked out, specific instructions, than a small company with few processing operations.<ref>''Martini'', in Paal & Pauly, DS-GVO Art. 24, paras 39-42 (C.H.Beck 2021).</ref>
+Although ''Hartung'' claims that this paragraph is obscure,<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 21 (C.H. Beck 2020, 3rd Edition).</ref> ''Martini'' argues it simply expands on Article 24(1) GDPR by specifying the conditions under which the technical and organisational measures must also include data protection measures. By singling these out, ''Martini'' contends that they constitute specific measures within the "''general''" organisational measures, and that paragraph 2 simply refers to procedural measures. These policies are thus not merely legal requirements, but concrete procedural instructions to follow to avoid any violation of the GDPR. The instructions that should follow from such policies are linked to [[Article 39 GDPR|Article 39(1)(b) GDPR]], which states that the DPO’s duty to monitor compliance with the data protection policies. Again, the principle of proportionality plays a big role. A large company carrying out many different processing operations should have more comprehensive and specific policies than a small company with few processing operations.<ref>''Martini'', in Paal, Pauly, DS-GVO, Article 24, margin numbers 39-42 (C.H. Beck 2021, 3rd Edition).</ref>
 === (3) Self-Regulation Measures as Evidence of Compliance ===
-The last paragraph of this provision provides the controller more certainty regarding the question whether or not it is sufficiently able to demonstrate compliance with its obligations. The controller can show that it adhered to approved codes of conduct as referred to in [[Article 40 GDPR]], approved certification mechanisms as referred to in [[Article 42 GDPR]], or, according to Recital 77: guidelines by the EDPB or advice by the data protection officer. Nevertheless, it follows from the word "element" that such adherence only ''supports'' the assumption that the controller is compliant, and does not ''prove'' it.<ref>''Hartung'', in Kühling & Buchner, DS-GVO BDSG, Art. 24, para 20 (C.H.Beck 2020).</ref>
+Article 24(3) provides the controller with more certainty regarding the question whether it is sufficiently able to demonstrate compliance with its obligations. The controller can show that it adhered to (i) approved codes of conduct ([[Article 40 GDPR]]), (ii) approved certification mechanisms ([[Article 42 GDPR]]), or (iii) guidelines by the EDPB and advice by the data protection officer (Recital 77 GDPR). Nevertheless, it follows from the word "''element''" that such self-regulation measures only support the assumption that the controller is compliant, but does not prove it.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 24, margin number 23 (C.H. Beck 2020, 3rd Edition).</ref>
 ==Decisions==
 → You can find all related decisions in [[:Category:Article 24 GDPR]]