Skip to main content

Article 15 — Responsibility of the Controller

  1. The controller shall implement appropriate technical and organisational measures to ensure that processing is performed in accordance with this Code and shall be able to demonstrate such compliance. Those measures shall take into account the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
  2. The measures referred to in paragraph 1 shall include, where appropriate:
    1. the adoption and implementation of written data protection policies setting out the controller's approach to the protection of personal data, including the allocation of responsibilities within the controller's organisation;
    2. the designation of qualified personnel or an external service provider responsible for overseeing compliance with this Code;
    3. the establishment of internal procedures for the handling of data subject requests pursuant to Title II of this Code;
    4. the implementation of technical safeguards, including but not limited to encryption, pseudonymisation, access controls, and audit logging;
    5. the conduct of regular training and awareness programmes for all persons who process personal data under the authority of the controller.
  3. The controller shall review and, where necessary, update the measures referred to in paragraphs 1 and 2 at regular intervals and in any event whenever there is a material change in the nature, scope, context, or purposes of processing, or whenever new risks are identified.
  4. Where proportionate in relation to the processing activities, the controller shall implement and maintain comprehensive data protection policies. The supervisory authority may publish guidance on the circumstances in which the adoption of formal data protection policies is to be considered proportionate.
  5. Adherence to approved codes of conduct referred to in this Code or to an approved certification mechanism may be used as an element by which to demonstrate compliance with the obligations of the controller under this Article.
  6. The controller shall be responsible for, and shall be able to demonstrate compliance with, the principles set out in Article 4, Article 5, and Article 6 of this Code.