Examples of measures to implement different aspects of the principle are provided in the following.
Legitimacy and lawfulness
- At least where the verification and demonstration of legitimacy requires formal steps, these can be considered organizational measures in support of legitimacy. A prime example are the request and approval of certain medical research through the competent research ethics committee.
- A pre-requisite for evaluating both, legitimacy and lawfulness is the specification of explicit purposes. This in itself can be considered a measure, in particular when it goes hand in hand with considerations about how to make the specification as specific and narrow as possible. In this case, also such analysis can be considered part of this measure.
- The main measure in support of lawfulness is to identify one or several legal bases of Art. 6(1) GDPR. In many cases, a processing activity uses multiple legal bases. A use case published by the Data Privacy Vocabulary Community Group of the W3C provides an easily accessible example.
- Where Art. 6(1)(a) GDPR, i.e., consent, was chosen as a legal basis, an analysis that justifies that the stringent requirements of the GDPR for (freely given, informed) consent have been met is an important measure. This can for example include tests to see whether the information provided as basis for consent are indeed understandable to data subjects and whether the withdrawal of consent is indeed as easy as giving it.
- In addition, where children or other vulnerable data subjects are affected, this analysis should put special focus on safeguards relative to Art. 7 GDPR.
- Where Art. 6(1)(f) GDPR, i.e., legitimate consent by the controller, was chosen as a legal basis, measures include a precise specification of the legitimate interests, as well as a balancing test (see section of the same name in Main Actions and Tools) to ascertain that these indeed prevail over the interests, rights, and freedoms of data subjects.
- With any legal basis, where controllers intend to process certain data further, beyond the initial purposes, for compatible purposes (see Art. 5(1)(b) GDPR), the analysis based on the criteria of Art. 6(4) for demonstrating that these additional purposes are indeed compatible, is a measure that demonstrates the lawfulness such processing.
- If special categories of data (i.e., sensitive data) or data relating to criminal convictions are processed, further measures must be taken in addition to those relating to Art. 6(1) GDPR. In particular, in the former case, the condition of Art. 9(2) GDPR, why an exception to the prohibition of processing sensitive data applies, must be found and documented. In the latter case, the conditions that make the processing permissible according to Art. 10 GDPR shall be implemented and documented.
- As has been reasoned above, all requirements of the GDPR can be considered a matter of fairness; several data subject rights were presented as particularly relevant, however. Prime measures in support of fairness are thus an adequate implementation ofdata subject rights.
- Implementation of the requirements of Art. 12 through 14 GDPR to provide adequate and easy understandable information to data subjects is a prime measure to support transparency.
- The same goes for documents prepared to inform supervisory authorities, in particular the records of processing (according to Art. 30 GDPR) and a data protection impact assessment (according to Art. 35 GDPR). A further measure is the partial publication of this impact assessment.
- Any analysis that evaluates the effectiveness and accessibility of the provided information—possibly in regard with special categories of data subjects such as children—can be considered a measure in itself.
- The appointment of a Data Protection Officer can in part be seen as a measure to increase transparency, both towards data subjects and the supervisory authority.
1Bruegger, Schlehahn&Zwingelberg, Data Privacy Vocabulary Community Group, Data Protection Aspects of Online Shopping – A Use Case, https://www.w3.org/community/dpvcg/2019/12/12/data-protection-aspects-of-online-shopping-a-use-case/ (last visited 25/05/2020). ↑