The GDPR puts forward a new compliance model that companies should adopt, with the principle of accountability at its heart. Under this principle, each company, as a controller, is required to design, implement, and generally take the necessary measures and policies to ensure that data processing complies with the relevant legislative provisions.
In addition, the controller bears the further duty to always prove itself and its compliance with the principles of the GDPR. In other words, the GDPR essentially reverses the “burden of proof” as to the lawfulness of processing (and compliance with the principles of the GDPR in general), shifting it to the controller so that it can be validly argued that it bears the burden of invoking and proving the lawfulness of the processing.
The above points emerge through the plethora of decisions of the DPAA, as well as its recent decision in which it imposed a fine of €30,000 on a company for failing to satisfy a right of access claim. For the full text of the decision see https://www.dpa.gr/sites/default/files/2022-02/61_2021anonym.pdf.
There is not an exhaustive list of what a company must do to be GDPR compliant but in any case, it must at least do the following:
– Keep an article 30 personal data processing record which is essentially a mapping of the personal data it processes
– maintain documented policies and procedures that derive not only from the processing of data but also from the identity of each company and its activity
– have appropriate updates at the points of collection of personal data
– sign data processing agreements with the data processors with whom it cooperates
-maintain appropriate mechanisms for exercising and responding to requests from data subjects for their rights under GDPR (e.g. access, erasure, etc.)
Each company must take all those measures of an organisational, technical and legal nature in order to be GDPR compliant, which implies the establishment and recording of policies, procedures and notifications to data subjects, in order to be able to demonstrate each time that it is effectively GDPR compliant and at the same time the lawfulness of the processing in question.
