Rina Steenkamp - Privacy and technology
Chapter IV Controller and processor
Section 3 Lifecycle data protection management
1. At the latest two years after the carrying out of an impact assessment pursuant to Article 33(1), the controller or the processor acting on the controller's behalf shall carry out a compliance review. This compliance review shall demonstrate that the processing of personal data is performed in compliance with the data protection impact assessment.
2. The compliance review shall be carried out periodically at least once every two years, or immediately when there is a change in the specific risks presented by the processing operations.
3. Where the compliance review results show compliance inconsistencies, the compliance review shall include recommendations on how to achieve full compliance.
4. The compliance review and its recommendations shall be documented. The controller and the processor and, if any, the controller's representative, shall make the compliance review available, on request, to the supervisory authority.
5. If the controller or the processor has designated a data protection officer, he or she shall be involved in the compliance review proceeding.
[Source: October 2013]
(74a) Impact assessments can only be of help if controllers make sure that they comply with the promises originally laid down in them. Data controllers should therefore conduct periodic data protection compliance reviews demonstrating that the data processing mechanisms in place comply with assurances made in the data protection impact assessment. It should further demonstrate the ability of the data controller to comply with the autonomous choices of data subjects. In addition, in case the review finds compliance inconsistencies, it should highlight these and present recommendations on how to achieve full compliance.
[Source: October 2013 | Notes: Recitals | Context: Recitals]