CHAPTER IV Controller and processor
Section 1 General obligations
Authors: Jos Dumortier and Pieter Gryffroy
- Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
- Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
- Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.
A.Preliminary remarks
Art. 24 GDPR, titled “Responsibility of the controller”, tasks the controller with ensuring compliance of its processing operations with the GDPR as a whole. The controller must do this by implementing appropriate and effective[1] measures within its organization and be able to demonstrate compliance at any given time. Art. 24 GDPR hence does not only require the controller to put policies and processes in place to effectively implement all GDPR obligations and principles in its organization, but also to be able to prove such effective implementation.
This combination of a general responsibility for the controller to respect the law with an obligation to proactively produce and have available clear evidence of compliance, is what is referred to in Art. 5 para. 2 GDPR as the data processing principle of accountability (→ Art. 5 mn. 137 et seq.). Bearing in mind the legislative history, which is discussed below (→ mn. 7), there is no doubt that accountability was explicitly part of Art. 24 from the outset. In fact, given that accountability as a concept under the GDPR includes the responsibility of the controller to comply with the law, the title of Art. 24 could have included a reference to “accountability” of the controller instead or “responsibility”, something which was proposed by the EP but not retained in the final version of the GDPR.
Accountability, as contained in Art. 24 GDPR and set out in Art. 5 para. 2 GDPR, is a central principle of the GDPR, meant to strengthen the impact of data protection law and to ensure that data protection becomes part of the shared values and practices of every organization acting as a controller processing personal data.[2] It is one of the GDPR’s most important innovations, because it clearly places the burden on the controller to actively implement data protection throughout all layers of its organization and to provide evidence of this. This is something that was lacking under the DPD, where the closest thing was the obligation in Art. 17 for the controller to implement appropriate security measures. Moreover, since there was no general obligation to have evidence of compliance available on request, the task of the SA of assessing whether compliance was present or not would often be cumbersome and difficult. As a consequence of accountability, not only should there be more compliance evidence readily available upon request, but authorities will also have immediate cause of action if this is not the case, as being able to demonstrate compliance is now a direct obligation for the controller.[3]
In order to fully understand the impact of the introduction of the principle of accountability in the GDPR, it is important to refer to the GDPR’s innovations in terms of enforcement. Under the DPD, the controller was obliged to notify processing operations to the national SA prior to commencing the processing. In practice, this led to data protection often being a legal requirement to be ticked off by the legal department, rather than something that is part of organizational practice from top to bottom. In addition to this, the enforcement mechanism under the DPD was rather weak as sanctions could only be imposed by going to the national courts and any sanctions or fines imposed were typically not sufficiently dissuasive. This led to a weak data protection practice in the EU.[4]
Under the GDPR, however, SAs can themselves impose sanctions and fines, with fines for serious infractions reaching amounts of up to EUR 20,000,000 or 4% of the undertaking’s total worldwide annual turnover;[1] these are unprecedented sanctions compared to the proverbial slap on the wrist a controller could get under the DPD. This increase in enforcement capabilities strengthens the importance and effectiveness of accountability in Art. 24 GDPR.[2] While sanctions are not imposed for the breach of Art. 24 GDPR in and of itself, they are imposed for a breach of accountability under Art. 5 para. 2 GDPR, as well as for any of the many principles and obligations Art. 24 links to, by virtue of being a general obligation to comply with the GDPR in its totality and to be able to prove such compliance. In this way, Art. 24 makes the controller responsible for implementing appropriate and effective measures to guarantee compliance with all GDPR principles and obligations; failure could result in facing serious liability. Aside from the aforementioned fines, Art. 82 GDPR opens up the controller to liability towards the data subject or any other person who suffered damages following the controller’s failure to either comply with the GDPR or to be able to demonstrate this compliance (→ Art. 82 mn. 7 and following). In light of the foregoing considerations, the GDPR has clearly fundamentally changed and strengthened the approach to data protection; and Art. 24 GDPR is a crucial expression of that change.
[…]
[1]Art. 83 para. 5 GDPR.
[2]On the move from an a priori to an a posteriori control, see: Delforge, ‘Les obligations générales du responsable du traitement et la place du sous-traitant’ in De Terwagne/Rosier, Le Règlement Général sur la protection des données (RGPD/GDPR) (2018), pp. 382–383.
[1]Recital 74 GDPR.
[2]Art. 29 WP, The Future of Privacy – Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to the protection of personal data (adopted on 1 December 2009; 02356/09/EN; WP 168), p. 3.
[3]Art. 29 WP, Opinion 3/2010 on the principle of accountability (adopted on 13 July 2010; 00062/10/EN; WP 173), para. 60.
[4]Art. 29 WP, The Future of Privacy, n2, p. 19.