Main Categories | Law | GDPR:Balancing Criteria

BC.10 State of the Art


In some GDPR provisions, the applicability of the provision or measures of the controller depend on the state of the art or available technology:


Art. 17 II: “Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology […], shall take reasonable steps […].


Art. 25 I: “Taking into account the state of the art […] the controller shall […] implement appropriate technical and organisational measures […].”


Art. 32 I: “Taking into account the state of the art […] the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk […].” [see Rec. 83 (2)]


Rec. 26 (4): On the question of whether a person is identifiable “the available technology at the time of the processing and technological developments” have to be taken into consideration.


Rec. 78 (4): “When developing, designing, selecting and using applications, services and products […] producers of the products, services and applications should be encouraged to take into account the right to data protection […] and with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.”


Rec. 84 (3): “Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.” [see also Rec. 94 (1)]


In German national law, the state of the art may be taken into account according to §§ 22 II 2 BDSG (German Data Protection Act).

Winfried Veil
Related Tiles (0)
Social Media
Last update: 2021-05-19 13:51:56
By: Winfried Veil
Created at: 2021-05-12 21:19:50