+ INFORMATION

New Eip Logo
Events EIP Talent Student access
  • es_ES
  • en_GB

Share on social networks!

Scope of proactive responsibility in the GDPR

by
Proactive Liability in the GDPR

In many articles and legal approaches, the proactive responsibility such as the responsibility that Controllers and Data Processors have to be able to demonstrate the application of the RGPD in the organization, not only complying with what is required by the RGPD, but going further and complying with aspects to which the data controller or data processor is not obliged; but who, on their own initiative and being aware of a culture of privacy, decide to implement regulatory obligations that do not directly affect their type of organization.

Examples of proactive responsibility

Thus, they are often given as examples of proactive responsibility the following:

  • Appoint a data protection officer when you are not obliged to do so.
  • Publish the log of processing activities when it is a private organization.
  • Apply more security measures to those indicated by the risk analysis and/or data protection impact assessment.
  • Carry out data protection impact assessments in treatments that do not require it.
  • Carry out risk analysis (assimilating them to the Impact Assessment methodologies), making calculations of probabilities and impacts, when the methodology of the Risk Analysis Guide does not consider it necessary.
  • Carry out the constant staff training.

And so on, endless examples that can be read in data protection articles and reports.

In my opinion, this is not so. I believe that the principle of proactive responsibility has been imported from common law and we should stick to what the GDPR says.

Guide to the general data protection regulation for data controllers

Likewise, the Spanish Data Protection Agency itself in its Guide to the general data protection regulation for data controllers extends the concept of Proactive Responsibility to compliance with the entire GDPR and not just the principles.

This Guide defines the principle of Proactive responsibility as "the need for the data controller to apply appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the processing complies with the Regulation. 

Proactive Responsibility in the GDPR

In practical terms, this principle requires organizations to analyze what data they process, for what purposes they do so, and what type of processing operations they carry out. Based on this knowledge, they must explicitly determine how they will apply the measures provided for by the GDPR, ensuring that these measures are appropriate to comply with it and that they can demonstrate this to the interested parties and supervisory authorities.

In summary, this principle requires a conscious, diligent and proactive attitude on the part of organizations regarding all personal data processing they carry out. 

Even the Guide, as we see, mentions that one must have a conscious and diligent attitude.

Verify compliance with proactive responsibility measures in the GDPR

Additionally, the same Guide lists questions to verify compliance with proactive responsibility measures and that they have nothing to do with art. 5 of the GDPR such as:

  • Have you made a risk assessment What do the treatments it develops imply for the rights and freedoms of citizens? Have you determined what active responsibility measures correspond to your risk situation and how should you apply them?
  • Have you planned how establish activity log of treatment in your organization?
  • Have you assessed whether it is application of any of the exceptions to this obligation? Have you planned who will be in charge of keeping the registry updated?
  • Have you reviewed the security measures What does it apply to its treatments in light of the results of their risk analysis? Do you consider that you can continue applying the security measures provided for in the LOPD Regulations? Have you sufficiently considered the possibility of introducing additional measures depending on the type of treatment or the context in which it is carried out?
  • Based on the type of treatments you perform, have you established mechanisms to quickly identify the existence of data security breaches?
  • Do you have plans reaction measures against different types of security bankruptcies, including procedures to assess the risk they may pose to the rights and freedoms of those affected? Have you established procedures to notify data protection authorities and, if necessary, data subjects of security breaches?
  • Do you have a registry or similar tool where you can document security incidents that occur, even if they are not notified to the data protection authorities?
  • Have you assessed whether the treatments you perform require Data Protection Impact Assessment because they pose a high risk to the rights and freedoms of the interested parties?
  • Do you have a methodology for carrying out the Impact Assessment?
  • Depending on the type of treatment you perform and the results of the previous risk analysis, do you have to appoint a Data Protection Officer?
  • Have you established the criteria to select the Data Protection Officer and, in particular, to assess their professional qualifications and knowledge?
  • The DPO position as configured in your organization, does itrespects independence requirements in the exercise of functions, position in the organizational chart, absence of conflict of interest and availability of the necessary resources established by the GDPR?
  • Have you made public the DPD designation and contact details and have you communicated them to the data protection authority?
  • It has been established procedures so that interested parties Contact the DPD?

However, the GDPR clearly defines the principle of Proactive Responsibility in the art. 5.2 in the following terms:

“The data controller will be responsible for compliance with the provisions of section 1 and will be able to demonstrate it (“proactive responsibility”)”

Principles relating to treatment

And what does that section 1 say?: it mentions the principles relating to treatment. These principles are six and nothing more than those six:

to) Treated in a lawful, fair and transparent manner in relation to the interested party ("legality, loyalty and transparency");

b) Collected for specific, explicit and legitimate purposes, and will not be further processed in a manner incompatible with said purposes; In accordance with Article 89(1), further processing of personal data for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes shall not be considered incompatible with the initial purposes. (“limitation of purpose”);

c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization");

d) Accurate and, if necessary, updated; All reasonable measures will be taken to promptly delete or rectify personal data that is inaccurate with respect to the purposes for which it is processed. ("accuracy");

and) Maintained in a way that allows the identification of the interested parties for no longer than necessary for the purposes of the processing of personal data; personal data may be retained for longer periods provided that they are processed exclusively for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89(1), without prejudice to the application of the measures appropriate technical and organizational measures imposed by this Regulation in order to protect the rights and freedoms of the interested party (“retention period limitation”);

F) Processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, through the application of appropriate technical or organizational measures (“integrity and confidentiality”).

While it is true that these principles admit numerous proactive responsibility measures, however, these Measures must always be limited to the principles relating to the treatment already mentioned.

It would be necessary to list measures that imply compliance with said principles. Once we are clear about which measures are related to these principles, PROACTIVE RESPONSIBILITY consists of being able to demonstrate compliance with these measures. 

Any other measure not intended to comply with the principles relating to treatment cannot, consequently, be considered a measure of proactive responsibility and the fact of adopting measures higher than those required of our organization should not be conceived as proactive responsibility either.

If you want to become a professional with the necessary skills to perform tasks related to Data Protection and Compliance, he Master in Compliance and Data Protection Management, will train you in this area in just 12 months.

Senior Consultant in Data Protection and Criminal Compliance.

 

Subscribe to our newsletter to stay up to date with all the news

Basic information on data protection.
Responsible for the treatment: Mainjobs Internacional Educativa y Tecnológica SAU
Purpose: Manage your subscription to the newsletter.
Legitimation for processing: Explicit consent of the interested party granted when requesting registration.
Transfer of data: No data will be transferred to third parties, except under legal obligation.
Rights: You may exercise the rights of Access, Rectification, Deletion, Opposition, Portability and, where applicable, Limitation, as explained in the additional information.
Additional information: You can consult additional and detailed information on Data Protection at https://www.mainfor.edu.es/politica-privacidad
Blog Master Dpo

Leave a comment

Members of 

Latin American Council Schools Admission Logo
Business School Logo
Euphe 1
Euphe 2

Recognitions

Qs Rating Horizontal 0
Qs Rating Horizontal 4
Qs Rating Horizontal 1
Qs Rating Horizontal 2
Qs Rating Horizontal 3
Qualificam Logo Footer

Educational partners

Harvard Negative (1)
Microsoft Academy (1)
Aws Academy Logo Footer
Cisco Networking Academy White
Wca Logo
Ausape Logo
Logo Compliant Professional Association White
Logo Aeca Footer
Buildingsmart Rgb Spain Chapter Member V2
Sage50 Cloud Logo Footer
Pmp Logo Footer
Global Suite Logo White
Minsoit Sap Svg
Nominasol Logo Footer
Cype Logo
Pvsyst Logo
Logo Capman Footer
Toeic Logo White
Python Institute Logo White
Its Logo White
Ccsp Badge
Cdpp
Cpcc
Legal warning Use of Cookies Privacy Policy Quality politics Complaint channel Registration Conditions join us

EIP Teatinos University Campus - Málaga - Spain

© EIP | International Business School 2010-2024

Trademark registered with the OEPM. No. 3,735,191