The controller’s responsibility

The Regulation is based on the accountability principle of the controller of the processing.

The Accountability principle foresees that the controller should adopt measures which guarantee a processing in accordance with the Regulation and that should demonstrate its concrete actualization and its objective effectiveness.

The performance criterion was already known in the Italian legal system with regard to the regulation on Responsibility of the Legal Person and Societies, included in Legislative Decree no. 31 of 8 June 2001.

For this purpose, there are no specific measures to adopt. It is up to the controller to evaluate and understand which should be the most appropriate even if, in a company, the setting of a real “model” aimed at guaranteeing the compliance and the conformity of the performed processing to the regulation in force looks essential.

First of all, the controller should carry out a preventive analysis of the measures to adopt in order to conform the new services and products to the Regulation (the so-called Privacy by design). In this contest it could be useful resort to specialists able to play the role of Data Protector Designer.

Moreover, the controller should ensure the automatic respect of the previsions of the Regulation and join the flow of information in order to prevent it being not respected (the so-called Privacy by default).

Privacy by design and Privacy by default are used to effect and demonstrate the realization of the Regulation but also to define the responsibility of the controller.

Among the measures the controller should necessarily effect, there are the DPIA, the appointment of the DPO if the conditions set out in article 37.1 are satisfied, the adoption of the BCR for extra-EU data transfer among intra-group societies and last but not least, the Records of processing (art. 30) where the controller should indicate all the processing.

The Records of processing, the DPIA, the records of appointments and assignments are essential tools to furnish the proof of the realization of the foreseen measures.

Even voluntary measures can be adopted as mechanisms of management of claims and of data breach, internal or external audit.

In case of data breach, the controller within 72 hours has to warn the supervisory Authorities and the data subject in case the breach may cause damages to his/her personal life.