EU GDPR – Article 24 (Responsibility of the Controller)

Abstract

EU GDPR Article 24 establishes a core accountability principle by placing direct responsibility on the data controller to ensure that all personal data processing complies with the General Data Protection Regulation (GDPR). Rather than relying solely on written policies or third-party assurances, Article 24 requires controllers to actively implement appropriate technical and organisational measures and to demonstrate compliance at all times. This article explains the scope of Article 24, its key requirements, practical activation steps, real-world use cases, dependencies on other GDPR provisions, and the tools and technologies that support compliance.

Explanation

Article 24 of the GDPR focuses on accountability, a foundational principle of data protection law. It states that the controller, the entity that determines the purposes and means of processing personal data, must ensure that processing activities comply with the GDPR and must be able to demonstrate, that compliance.

This responsibility applies regardless of the size of the organisation, though the nature, scope, context, and purposes of processing are taken into account. Controllers must assess the risks to individuals’ rights and freedoms and implement safeguards proportional to those risks.

Importantly, Article 24 goes beyond passive compliance. It requires continuous oversight, regular review of measures, and adaptation as risks, technologies, or processing activities change. The regulation also allows controllers to rely on codes of conductor certification mechanism as evidence of compliance, though these do not replace legal responsibility.

Key Points

1. Controller accountability: The controller is legally responsible for GDPR compliance.
2. Risk-based approach: Measures must reflect the nature, scope, and risks of processing.
3. Demonstrable compliance: Controllers must prove compliance, not just claim it.
4. Ongoing obligation: Compliance measures must be reviewed and updated regularly.
5. Organisational and technical measures: Policies, training, security controls, and governance structures are all required.
6. Optional compliance aids: Codes of conduct and certifications may support compliance.
7. No delegation of liability: Even when using processors, responsibility remains with the controller.

General Activation Steps

To activate Article 24 compliance, controllers should follow a structured approach:

1. Map Processing Activities: Identify what personal data is collected, why it is processed, where it is stored, and who has access.
2. Assess Risks: Evaluate risks to data subjects’ rights and freedoms, considering factors such as data sensitivity and processing scale.
3. Implement Policies and Governance: Establish internal data protection policies, assign responsibilities, and define escalation procedures.
4. Apply Technical Safeguards: Use access controls, encryption, secure storage, and system monitoring to protect personal data.
5. Train Staff: Ensure employees understand GDPR obligations and their role in protecting personal data.
6. Document Everything: Maintain records of decisions, assessments, and safeguards to demonstrate compliance.
7. Review and Update Measures: Regularly reassess controls as processing activities or risks evolve.

Use Cases

Article 24 applies across industries and organisational sizes. Common use cases include:

1. E-commerce platforms: Controllers must ensure customer data processing, payment handling, and marketing activities align with GDPR standards.
2. Healthcare providers: Sensitive health data requires strong organisational controls and heightened security safeguards.
3. SaaS companies: Controllers must manage customer data responsibly, even when relying on cloud processors.
4. HR departments: Employee personal data must be processed lawfully, securely, and transparently.
5. Marketing agencies: Controllers must ensure lawful data collection, consent management, and data usage accountability.

In each case, Article 24 ensures that responsibility cannot be shifted or ignored.

Dependencies

Article 24 is closely connected to other GDPR provisions, including:

1. Article 5 (Principles of Processing): Sets the foundational principles that controllers must uphold.
2. Article 30 (Records of Processing Activities): Supports demonstrable compliance through documentation.
3. Article 25 (Data Protection by Design and by Default): Requires privacy considerations during system design.
4. Article 28 (Processor Obligations): Ensures controllers select compliant processors.
5. Article 32 (Security of Processing): Defines security measures that support accountability.

Together, these articles create a comprehensive compliance framework.

Tools and Technologies

To meet Article 24 obligations, controllers commonly rely on:

1. Data Mapping Tools: Identify and track personal data across systems.
2. Compliance Management Software: Centralise policies, records, and compliance reporting.
3. Risk Assessment & DPIA Tools: Evaluate processing risks and document mitigation measures.
4. Access Control & Identity Management Systems: Limit data access to authorised personnel only.
5. Encryption and Security Solutions: Protect data both at rest and in transit.
6. Audit and Monitoring Tools: Detect non-compliance and support continuous improvement.

These tools help transform legal obligations into operational practices.

Let’s Wrap

EU GDPR Article 24 reinforces the principle that data protection is an ongoing responsibility, not a one-time task. By placing accountability squarely on the controller, the GDPR ensures that organisations take ownership of how personal data is processed, protected, and governed.

Compliance with Article 24 requires a proactive, risk-based approach supported by strong governance, robust technical safeguards, and continuous review. When implemented effectively, Article 24 not only reduces regulatory risk but also builds trust with customers, employees, and stakeholders, turning compliance into a strategic advantage rather than a burden.

---

For further reading:

• EU GDPR – Article 23 (Restrictions on Data Subject Rights)
• EU GDPR – Article 22 (Automated Individual Decision-Making, Including Profiling)
• EU GDPR – Article 21 (Right to Object)
• EU GDPR – Article 20 (Right to Data Portability)
• EU GDPR – Article 19 (Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing)
• EU GDPR – Article 18 (Right to Restriction of Processing)
• EU GDPR – Article 17 (Right to Be Forgotten)
• EU GDPR – Article 16 (Right to Rectification)
• EU GDPR – Article 15 (Right of Access by the Data Subject)
• EU GDPR – Article 14 (Information to Provide When Personal Data Is Not Obtained from the Data Subject)
• EU GDPR – Article 13 (Information to Be Provided Where Personal Data Are Collected From the Data Subject)
• EU GDPR – Article 12 (Transparent Information, Communication, and Modalities for Exercising Data Subject Rights)
• EU GDPR – Article 11 (Processing Which Does Not Require Identification)
• EU GDPR – Article 10 (Processing Personal Data Related to Criminal Convictions and Offenses)
• EU GDPR – Article 9 (Processing Special Categories of Personal Data)
• EU GDPR – Article 8 (Conditions Applicable to Child’s Consent in Information Society Services)
• EU GDPR – Article 7 (Conditions for Consent)