16 provisions of the German version of the GDPR stipulate that the controller or the lawmaker have to check the Angemessenheit of their processing, data security, technical and organisational measures or laws.
Funfact: in the English version of the GDPR the term Angemessenheit is translated in 6 different ways:
- „adequate“ (1 x)
- „reasonable“ (5 x)
- „appropriate“ (1 x)
- „suitable“ (4 x)
- „proportionate“ (4 x)
- „due“ (1 x)
Here is the 16 Angemessenheitsprüfungen of the German version in its English equivalent:
Art. 5 I c: "Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."
Art. 5 I d: "[...] every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
Art. 5 I f: "Personal data shall be processed in a manner that ensures appropriate security of the personal data [...]."
Art. 6 III 4: "The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued."
Art. 8 II: "The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility [...]."
Art. 9 II g: "Paragraph 1 shall not apply if one of the following applies: [...] processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject."
Art. 9 II i: "Paragraph 1 shall not apply if one of the following applies: [...] processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy."
Art. 9 II j: "Paragraph 1 shall not apply if one of the following applies: [...] processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject."
Art. 12 V a: "[...] the controller may charge a reasonable fee [...]."
Art. 15 III 2: "[...] the controller may charge a reasonable fee based on administrative costs."
Art. 17 II: "[...] the controller [...] shall take reasonable steps [...]."
Art. 22 III: "[...] the data controller shall implement suitable measures to safeguard [...]."
Art. 24 II: "Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include [...]."
Art. 33 IV: "[...] the information may be provided in phases without undue further delay."
The term “reasonable” is used in 14 Recitals: 26, 39, 47, 50, 61, 63, 64, 66, 86, 92, 94, 106, 129 and 141 GDPR.
The term “adequate” is used in 7 Recitals: 39, 103, 104, 107, 114, 168 and 169 GDPR.
The term “appropriate” is used in 30 Recitals: 39, 43, 47, 50, 56, 58, 62, 71, 74, 77, 78, 83, 84, 85, 86, 87, 88, 102, 107, 108, 110, 129, 134, 141, 148, 150, 156, 157, 162 and 166 GDPR.
The term “suitable” is used in 5 Recitals: 52, 53, 54, 71 and 113 GDPR.
The term “proportionate” is used in 9 Recitals: 19, 49, 50, 62, 73, 129, 148, 151 and 152 GDPR.
The terms “due” and “undue” are used in 9 Recitals: 9, 59, 78, 85, 86, 87, 88, 148 and 150 GDPR.