Main Categories | Law | GDPR:Balancing Decisions

BD.05 Appropriateness

 

12 GDPR provisions stipulate that the controller must carry out appropriateness tests. This means that he must check whether his measures/guarantees are appropriate for achieving certain lawfulness requirements:

 

Art. 5 I e: “[…] personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes […] subject to implementation of the appropriate technical and organisational measures […].”

 

Art. 9 II d: “Paragraph 1 [prohibition of processing sensible data] shall not apply if processing is carried out in the course of its legitimate activities with appropriate safeguards  by a foundation, association or any other not-for-profit body with […].”

 

Art. 12 I 1: “The controller shall take appropriate measures to provide any information […] and any communication […].”

 

Art. 24 I: “Taking into account […] the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”

 

Art. 24 II: “[…] the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.”

 

Art. 25 I: “Taking into account […] the controller shall […] implement appropriate technical and organisational measures […] which are designed to implement data-protection principles, […].”

 

Art. 25 II 1: “The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”

 

Art. 28 I: “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures […].”

 

Art. 28 IV: “Where a processor engages another processor […] the same data protection obligations […] shall be imposed on that other processor by way of a contract or other legal act […], in particular providing sufficient guarantees to implement appropriate technical and organisational measures […].”

 

Art. 32 I: “Taking into account […] the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate […]:”

 

Art. 32 II: “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing […].”

 

Art. 34 III a: “The communication to the data subject referred to in paragraph 1 [data breach] shall not be required if […] the controller has implemented appropriate technical and organisational protection measures.”

 

The term “appropriate” is also used in 30 Recitals: 39, 43, 47, 50, 56, 58, 62, 71, 74, 77, 78, 83, 84, 85, 86, 87, 88, 102, 107, 108, 110, 129, 134, 141, 148, 150, 156, 157, 162 and 166 GDPR.

Authors
Winfried Veil
Related Tiles (0)
Social Media
Last update: 2021-05-22 14:27:36
By: Winfried Veil
Created at: 2021-05-12 21:45:04