Article 22*
Article 22 – Responsibility of the controller
Commission Proposal
1. The controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation.
2. The measures provided for in paragraph 1 shall in particular include: (a) keeping the documentation pursuant to Article 28; 3. The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in paragraphs 1 and 2. If proportionate, this verification shall be carried out by independent internal or external auditors. 4. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures referred to in paragraph 1 other than those already referred to in paragraph 2, the conditions for the verification and auditing mechanisms referred to in paragraph 3 and as regards the criteria for proportionality under paragraph 3, and considering specific measures for micro, small and medium-sized-enterprises. |
EDRi’s proposed amendment
1. The controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation.
2. The measures provided for in paragraph 1 shall in particular include: (a) keeping the documentation pursuant to Article 28; 3. The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in paragraphs 1 and 2. If proportionate, this verification shall be carried out by independent internal or external auditors. 3a. The controller shall make public a summary of the measures referred to in paragraphs 1 and 2. 4. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures referred to in paragraph 1 other than those already referred to in paragraph 2, the conditions for the verification and auditing mechanisms referred to in paragraph 3 and as regards the criteria for proportionality under paragraph 3, and considering specific measures for micro, small and medium-sized-enterprises. |
Justification
The procedures to facilitate the exercise of data subject rights are an important of being in compliance with the Regulation and should thus be explicitly referred to here. In the interest of transparency, at least a summary of the measures adopted should be made public. This fits in with a general trend towards greater transparency of businesses.
Regarding the use of internal auditors in paragraph 3, EDRi questions whether such verifications can be fully independent.