GDPR
Article 24 is implementing a "general principle of responsibility" at the forefront of the general obligations of the controller, the definition of which remains unchanged since the Directive (see G29, Opinion 3/2010 of 13 July 2010, on the principle of responsibility). Actually, the controller is defined as: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes (...) and the means of the processing of personal data” (Art. 4 (7)).
The principle included in the first paragraph is divided into two rules.
The first rule confirms the special responsibility of the controller in the implementation of the appropriate technical and organizational measures to perform the processing in accordance with the Regulation.
The initial proposed version provided for a list of the measures in question, but this has not been included in the final version. However, the list is very useful to understand the scope of the principle. The version covered most of the unspecified general measures or a bit specified by the text of the Regulation, such as: maintaining of the documentation provided for in Article 30, the implementation of the obligations of data security provided for in Article 32, conducting an impact assessment on the protection of data in application of Article 35, the compliance with the obligations of authorization or preliminary consultation of the supervising authority in application of Article 36 (1) and (2), the designation of a data protection officer in application of article 37 (2) and (3).
This first rule also provides that to determine the appropriate technical and organizational measures, account must be taken of the nature, the scope, the context and the purpose of processing as well as the likelihood and the severity of risks with respect to the rights and freedoms of natural persons.
Recitals 75 and 76 give many examples of the envisaged risks: processing that is likely to result in physical, material or moral damage, in particular when the processing may give rise to discrimination, an identity theft or usurpation, financial loss, damage to reputation, loss of confidentiality of data protected by professional secrecy, when it comes to processing of sensitive data, when personal aspects are evaluated, etc. The probability and the severity have to be assessed depending on the nature, the scope, the context and the purpose of the processing of data. The risk should be subject to an objective assessment to determine if the data processing operations carry a high risk. According to recital 60 (3), high risk means a particular risk of prejudice to the rights and freedoms of individuals.
Paragraph 2 of Article 24 says that where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
The second rule stems from the first and is focused on the proof of the implementation of these measures. Then, the burden of proof rests on the shoulders of the controller which must be able to demonstrate that the personal data is processed in compliance with the Regulation.
The third paragraph provides that adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller. Recital 77 (4) includes the indications given by the data protection officer.
Direktivet
Neither the Directive nor the legislation analysed in this commentary provided a provision comparable to that provided for in Article 22 of the Regulation.
Utfordringer
This provision allows us to better understand the increasing scope of obligations burdening upon the controllers who have to be assessed in the light of the increase in their means of control and penalties for failure to comply with the obligations contained in the Regulation.
The definition of appropriate technical and organizational measures is undoubtedly one of the biggest challenges that the controllers will be facing in compliance of their processing under the Regulation.
Such definition will require to review the compliance of all existing processing and to implement a process of defining these. This will require a greater coordination between the different services of the enterprise or the public authorities (IT, legal, HR, marketing...) who will be facing the implementation of a risk analysis process and related measures to be taken, including with respect to the security of the processing. The "compliance" with the Regulation will have to achieve a degree of professionalization and implementation of means not commensurate with what is expected today.
European Union
Retour au sommaire
Art. 29-arbeidsgruppen
Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (3 October 2017)
(Endorsed by the EDPB)
The EU has completed a comprehensive reform of data protection regulation in Europe. The reform rests on several pillars (key components): coherent rules, simplified procedures, coordinated actions, user involvement, more effective information and stronger enforcement powers.
Data controllers and data processors have increased responsibilities to ensure that personal data of the individuals is protected effectively. Supervisory authorities have powers to ensure that the principles of the General Data Protection Regulation (hereafter ‘the Regulation’) as well as the rights of the individuals concerned are upheld according to the wording and the spirit of the Regulation.
Consistent enforcement of the data protection rules is central to a harmonized data protection regime. Administrative fines are a central element in the new enforcement regime introduced by the Regulation, being a powerful part of the enforcement toolbox of the supervisory authorities together with the other measures provided by article 58.
This document is intended for use by the supervisory authorities to ensure better application and enforcement of the Regulation and expresses their common understanding of the provisions of article 83 of the Regulation as well as its interplay with articles 58 and 70 and their corresponding recitals.
In particular, according to article 70, (1) (e), the European Data Protection Board (hereafter ‘EDPB’) is empowered to issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation and article 70, (1), (k) specifies the provision for guidelines concerning the setting of administrative fines.
These guidelines are not exhaustive, neither will they provide explanations about the differences between administrative, civil or criminal law systems when imposing administrative sanctions in general.
In order to achieve a consistent approach to the imposition of the administrative fines, which adequately reflects all of the principles in these guidelines, the EDPB has agreed on a common understanding of the assessment criteria in article 83 (2) of the Regulation and therefore the EDPB and individual supervisory authorities agree on using this Guideline as a common approach.
Link
Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (4 October 2017)
(Endorsed by the EDPB)
Regulation 2016/679 (GDPR) will apply from 25 May 2018. Article 35 of the GDPR introduces the concept of a Data Protection Impact Assessment (DPIA), as does Directive 2016/680.
A DPIA is a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them. DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation (see also article 24). In other words, a DPIA is a process for building and demonstrating compliance.
Under the GDPR, non-compliance with DPIA requirements can lead to fines imposed by the competent supervisory authority. Failure to carry out a DPIA when the processing is subject to a DPIA (Article 35(1) and (3)-(4)), carrying out a DPIA in an incorrect way (Article 35(2) and (7) to (9)), or failing to consult the competent supervisory authority where required (Article 36(3)(e)), can result in an administrative fine of up to 10M€, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Link
Retour au sommaire