Responsibility of the controller
Taking into account the nature, scale, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons which vary in their likelihood and seriousness, the controller shall implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing is carried out in accordance with this Regulation. Those measures shall be reviewed and updated as necessary.
Where proportionate to the processing activities, the measures referred to in paragraph 1 shall include appropriate data protection policies implemented by the controller.
Adherence to approved codes of conduct referred to in Article 40 or approved certification mechanisms referred to in Article 42 may be used as an element to demonstrate compliance with the obligations of the controller.
