Article 24
1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.
X v Russmedia Digital SRL and Inform Media Press SRL
An online marketplace operator that is the controller of the personal data in advertisements published on its marketplace cannot rely on Articles 12 to 15 of Directive 2000/31 on the liability of intermediary providers in relation to an infringement of its obligations under Article 5(2), Articles 24 to 26, and Article 32 of Regulation 2016/679.
VB v Natsionalna agentsia za prihodite
Unauthorised disclosure of personal data, or unauthorised access to those data by a 'third party' within the meaning of Article 4(10), is not enough by itself to show that the controller's technical and organisational measures were not 'appropriate' within the meaning of Articles 24 and 32.
Proximus NV v Gegevensbeschermingsautoriteit
A national supervisory authority may require a provider of publicly available telephone directories and directory enquiry services, acting as controller, to take appropriate technical and organisational measures to inform third-party controllers that the subscriber has withdrawn consent. Those third-party controllers may include the telephone operator that supplied the subscriber's data to that provider and other directory or directory enquiry providers to whom that provider supplied the data.