The principle of accountability as anticipated by the article 29 Data Protection Working Party

By | Monday January 9th, 2017

Regulation no. 679/2016 introduces a regulatory framework entirely focused on the duties and “accountability” of the Data Controller, reversing the perspective of the reference framework for personal data protection. Directive 95/46/EC, in fact, was entirely centered on the rights of the data subject, whereas the text of the new Regulation is mainly developed on processes, activities, technical and organizational measures, sanctions and obligations directed to the Data Controller.

This principle, although introduced for the first time in the new provisions, had already been examined by the Article 29 Data Protection Working Party in Opinion No. 3/2010, which suggested the insertion of a general provision to “reaffirm and strengthen the responsibility of Data Controllers”, structured so as to include an obligation to take appropriate and effective measures to implement the principles of data protection, as well as the need to prove that such measures have actually been implemented and give proof thereof if requested.

This Opinion, in essence, anticipates concepts now expressly contained in the GDPR, indicating by way of example a series of measures aimed at the pursuit of the “accountability” principle. These include the need to plan the new processing operations to ensure compliance with regulatory requirements (privacy by design in the GDPR), the mapping of processing operations (register of processing activities in the GDPR), the establishment of transparent procedures aimed at the management of access rights, rectification and deletion by data subjects (strengthened, in the GDPR with the introduction of the right to be forgotten). In addition to these, within the same Opinion, it is suggested, under certain circumstances, to consider producing impact assessments on privacy, as well as to define internal procedures for the management and effective communication of security breaches. Finally, the Working Party stresses the need to ensure that measures taken should not merely be a formality, but should actually be implemented in practice and verified through periodic audits conducted by both internal (“internal audits”) and external (“external audits”) subjects.

Category: Impact, Risk and Measures Legal framework

About Andrea Reghelin

Andrea Reghelin is senior compliance manager at Partners4Innovation. He holds a specialization in business organization and information technology, and is an attorney. He deals with corporate compliance, in particular with new technologies law (privacy, IT controls, IT contracts, etc..) and business crime prevention (Legislative Decree no. 231/2001, safety at work and environment), mainly providing consulting support at complex organizations. He is lecturer at several educational events, as well as author of articles and contributions, published in professional journals

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.