We have been reading throughout about the data controller’s role in GDPR and how the data controller is the entity that normally collects the personal data of the data subject for further processing.
As per Article 4, controller is defined as, “controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;”
The above definition makes it clear that the data controller has the responsibility and the duty of deciding the purpose and means of processing of the personal data of the data subject. But along with this responsibility, the data controller has an even bigger responsibility- compliance with the GDPR. Let us see what Article 24 elucidates.
From the title of Article 24, we can gauge that it speaks about the responsibility of the controller. This responsibility is towards the data subjects, particularly their rights and freedoms. Taking into consideration the kind of processing, its purpose, its nature, the extent of the processing, the controller must implement appropriate technical and organisational measures in order to protect the data subjects’ personal data and save it from any kind of risks. These technical and organisational measures must be reviewed and updated periodically especially when sensitive data is being processed such as racial or ethnic origin, political opinions, religious or philosophical beliefs etc.
Not only technical and organisational measures but also data protection policies must be implemented with the help of approved certification mechanisms or approved codes of conduct in order to be compliant in a more effective manner with GDPR.
Conclusion:
Article 24 mainly focuses on the rights and freedoms of the data subject which are also the core areas of the GDPR. Any measure taken by the data controller ignoring this very important factor is threatening the privacy of the data subject thereby violating the GDPR and exposing the controller to hefty fines and penalties.