Important Blogs

European Union Institutional body

Article 24 - Responsibility of the controller

Article 24 of the EU General Data Protection Regulation (GDPR) the responsibility of controllers to implement their obligations regarding data protection. It entails the requirement for controllers to have measures in place to ensure data protection compliance is maintained and to be able to demonstrate this compliance. This article plays a crucial role in the GDPR, as it emphasizes the proactive role that organizations must take in safeguarding personal data.

Article 24 (1) of the EU GDPR states that controllers must implement appropriate technical and organizational measures to meet the principles of data protection. These measures should be designed to ensure that data processing operations meet the requirements of the GDPR and protect the rights of data subjects effectively. The aim is to mitigate risks to data subjects and address potential threats to personal data confidentiality, integrity, availability, and resilience.

For example, a company planning to collect and process customer data for marketing purposes needs to implement measures to protect that data. This could include encryption of sensitive information, securing data access through strong authentication methods, regular data backups, and monitoring internal data handling processes. By implementing these technical and organizational measures, the company demonstrates its commitment to protecting personal data and complying with GDPR obligations.

Article 24 (2) of the EU GDPR outlines an important requirement for controllers to take into account the nature, scope, context, and purpose of data processing when implementing their measures. This means that the measures put in place should be directly suited to the specific circumstances of the data processing activity at hand. Taking these factors into consideration ensures that the measures employed are both proportionate and effective in meeting data protection requirements.

For example, a healthcare provider is required to implement additional security measures due to the sensitivity of the personal data they handle. This might include restricted access to medical records, strong encryption methods, and regular security audits. By adapting their measures to the specific context of healthcare data processing, the healthcare provider demonstrates a tailored and appropriate approach to protecting personal data.

Article 24 (3) of the EU GDPR focuses on the responsibility of controllers to regularly review the effectiveness of the measures in place to ensure continuous compliance with data protection requirements. This implies that organizations must assess their data processing activities, measure the effectiveness of their measures, and improve or update them if necessary. Periodic checks and audits are essential to maintaining an effective data protection framework.

For example, a financial institution may conduct regular internal audits to assess the effectiveness of their data protection measures. By identifying any weaknesses or areas for improvement, they can address these promptly to enhance their compliance with GDPR. The ongoing review of measures demonstrates a commitment to continuous improvement and an understanding of the importance of adapting to evolving risks and vulnerabilities.

In conclusion, Article 24 of the EU GDPR emphasizes the proactive responsibility of controllers to implement appropriate technical and organizational measures to ensure data protection compliance. By taking into account the nature and purpose of data processing, regularly reviewing the effectiveness of measures, and adapting them accordingly, organizations can demonstrate their commitment to safeguarding personal data and meeting GDPR obligations.

For Privacy audit please contact us