The accountability model Flashcards
(10 cards)
The accountability principle
The controller shall be able to demonstrate that it has adopted a comprehensive process of
- legal,
- organizational and
- technical measures
for the protection of the data subject’s personal data.
The accountability principle
Art. 5 of GDPR
Art. 5 (1):
Principles relating to the processing of personal data:
- lawfulness, fairness and transparency
- purpose limitation
- data minimisation
- accuracy
- storage limitation
- integrity and confidentiality
Art. 5 (2):
The controller shall be responsible for, and be able to demonstrate compliance with paragraph 1 (‘accountability’).
The principles laid down in art. 5 (1) are specified by the different material and organisational obligations under the GDPR
Accountability
- two-tiered mechanism
Triggering of measures and/or procedures + keeping evidence thereof
Setting up and implementing voluntary accountability systems that exceed minimum regulatory standards
Accountability
- demonstrate compliance of data processing with the GDPR
The controller shall be able to demonstrate the compliance of its processing with the principles set out in Art. 5 (1), as specified by the several material and organizational obligations under the GDPR
- maintain records of processing activities under its responsibility.
- written form is generally advisable
- cooperate with the supervisory authority and make those records, on request, available to it
The subjects of the accountability model
Data controller
Data processor
Data protection officer
The subjects of the accountability model
Data controller
- Natural or legal person,
- public authority,
- agency or other body
which,
alone or jointly with others,
determines the purposes and means of the processing of personal data (Art. 4, No. 7) - Joint controllers (“jointly determine the purposes and means of processing”: Art. 26 GDPR)
- Art. 29 GDPR - Processing under the authority of the controller or processor
«The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law».
The subjects of the accountability model
Data processor
- Natural or legal person,
- public authority,
- agency or other body
which processes personal data on behalf of the controller (Art. 4, No. 8)
The subjects of the accountability model
Data processor
A person appointed by the controller to oversee compliance with law provisions on data protection.
(Art. 39 GDPR)
Accountability
Appropriate data protection policies of the controller
- Internal compliance systems monitoring that the company is processing personal data in compliance with the legal provisions are encouraged (such as: Data Protection Management System)
- Proportionality (risk-based approach)
- Taking into account the potential liability claims arising from violations and the considerably high fines, these protection polices are in the company’s economic interest.
- If a Data Protection Officer has been appointed, he/she could be in charge of the Data Protection Management System
Accountability
Joint controllers
- Clear allocation of responsibilities
a) transparent manner
b) determine their respective responsibilities for compliance - An arrangement between them
(unless determined by Union or Member State law to which the controllers are subject) - The arrangement may designate a contact point for data subjects.
- The essence of the arrangement shall be made available to the data subject
- Advise a written form
- Irrespective of the terms of the arrangement the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers
