Responsibility of the controller
(74) The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.
(75) The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects
(76) The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.
(77) Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer. The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.
(84) In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation. Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.
Article 24 is implementing a "general principle of responsibility" at the forefront of the general obligations of the controller, the definition of which remains unchanged since the Directive (see G29, Opinion 3/2010 of 13 July 2010, on the principle of responsibility). Actually, the controller is defined as: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes (...) and the means of the processing of personal data” (Art. 4 (7)).
The principle included in the first paragraph is divided into two rules.
The first rule confirms the special responsibility of the controller in the implementation of the appropriate technical and organizational measures to perform the processing in accordance with the Regulation.
The initial proposed version provided for a list of the measures in question, but this has not been included in the final version. However, the list is very useful to understand the scope of the principle. The version covered most of the unspecified general measures or a bit specified by the text of the Regulation, such as: maintaining of the documentation provided for in Article 30, the implementation of the obligations of data security provided for in Article 32, conducting an impact assessment on the protection of data in application of Article 35, the compliance with the obligations of authorization or preliminary consultation of the supervising authority in application of Article 36 (1) and (2), the designation of a data protection officer in application of article 37 (2) and (3).
This first rule also provides that to determine the appropriate technical and organizational measures, account must be taken of the nature, the scope, the context and the purpose of processing as well as the likelihood and the severity of risks with respect to the rights and freedoms of natural persons.
Recitals 75 and 76 give many examples of the envisaged risks: processing that is likely to result in physical, material or moral damage, in particular when the processing may give rise to discrimination, an identity theft or usurpation, financial loss, damage to reputation, loss of confidentiality of data protected by professional secrecy, when it comes to processing of sensitive data, when personal aspects are evaluated, etc. The probability and the severity have to be assessed depending on the nature, the scope, the context and the purpose of the processing of data. The risk should be subject to an objective assessment to determine if the data processing operations carry a high risk. According to recital 60 (3), high risk means a particular risk of prejudice to the rights and freedoms of individuals.
Paragraph 2 of Article 24 says that where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
The second rule stems from the first and is focused on the proof of the implementation of these measures. Then, the burden of proof rests on the shoulders of the controller which must be able to demonstrate that the personal data is processed in compliance with the Regulation.
The third paragraph provides that adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller. Recital 77 (4) includes the indications given by the data protection officer.
Neither the Directive nor the legislation analysed in this commentary provided a provision comparable to that provided for in Article 22 of the Regulation.
This provision allows us to better understand the increasing scope of obligations burdening upon the controllers who have to be assessed in the light of the increase in their means of control and penalties for failure to comply with the obligations contained in the Regulation.
The definition of appropriate technical and organizational measures is undoubtedly one of the biggest challenges that the controllers will be facing in compliance of their processing under the Regulation.
Such definition will require to review the compliance of all existing processing and to implement a process of defining these. This will require a greater coordination between the different services of the enterprise or the public authorities (IT, legal, HR, marketing...) who will be facing the implementation of a risk analysis process and related measures to be taken, including with respect to the security of the processing. The "compliance" with the Regulation will have to achieve a degree of professionalization and implementation of means not commensurate with what is expected today.
1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.
1. forslag close
1. The controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation.
2. The measures provided for in paragraph 1 shall in particular include:
(a) keeping the documentation pursuant to Article 28;
(b) implementing the data security requirements laid down in Article 30;
(c) performing a data protection impact assessment pursuant to Article 33;
(d) complying with the requirements for prior authorisation or prior consultation of the supervisory authority pursuant to Article 34(1) and (2);
(e) designating a data protection officer pursuant to Article 35(1).
3. The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in paragraphs 1 and 2. If proportionate, this verification shall be carried out by independent internal or external auditors.
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures referred to in paragraph 1 other than those already referred to in paragraph 2, the conditions for the verification and auditing mechanisms referred to in paragraph 3 and as regards the criteria for proportionality under paragraph 3, and considering specific measures for micro, small and medium-sized-enterprises.
2. forslag close
1. Taking into account the nature, scope context and purposes of the processing as well as the likelihood and severity of risk for the rights and freedoms of individuals, the controller shall (...) implement appropriate measures and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation.
2a. Where proportionate in relation to the processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
2b. Adherence to approved codes of conduct pursuant to Article 38 or an approved certification mechanism pursuant to Article 39 may be used as an element to demonstrate compliance with the obligations of the controller.
No specific provision
Den behandlingsansvarliges ansvar
1. Idet det tas hensyn til behandlingens art, omfang, formål og sammenhengen den utføres i, samt risikoene av varierende sannsynlighets- og alvorlighetsgrad for fysiske personers rettigheter og friheter, skal den behandlingsansvarlige gjennomføre egnede tekniske og organisatoriske tiltak for å sikre og påvise at behandlingen utføres i samsvar med denne forordning. Nevnte tiltak skal gjennomgås på nytt og skal oppdateres ved behov.
2. Dersom det står i et rimelig forhold til behandlingsaktivitetene, skal tiltakene nevnt i nr. 1 omfatte den behandlingsansvarliges iverksetting av egnede retningslinjer for vern av personopplysninger.
3. Overholdelse av godkjente atferdsnormer som nevnt i artikkel 40 eller godkjente sertifiseringsmekanismer som nevnt i artikkel 42 kan brukes som en faktor for å påvise at den behandlingsansvarliges forpliktelser overholdes.
Gamle loven close
Se pol. §§ 13 (Informasjonssikkerhet) og 14 (internkontroll).