The data protection compliance program

• Author: Rosario Imperiali
• Position: Member of EPA's Scientific Advisory Committee, European Privacy Association
• Pages: 285-288







 !∀

285

The Data Protection Compliance Program

Rosario Imperiali

Member of EPA’s Scientific Advisory Committee

European Privacy Association

rosario.imperiali@imperiali.com



On January 25, 2012, the EU Commission set forth a proposal for a Regulation of the

European Parliament and of the Council on the protection of individuals with regard to the

processing of persona l data and on the free movement of such data (General Data Protection

Regulation) and a proposal for a Directive of the European Parliament and of the Council on the

protection of individuals with regard to the processing of personal data by competent authorities

for the purposes of prevention, investigation, detection or prosecution of criminal offences or the

execution of criminal penalties, and the free movement of such data. The Draft Regulation, once

approved by the European Parliament and the Council, should replace Directive 95/46/EC (the

"Data Protectio n Directive") which has been criticized for bein g laden with loopholes and legal

uncertainty. A stronger and more coherent data protectio n framework in the EU, backed by

strong enforcement that will allow the digital economy to develop across th e internal market as

well as put individuals in b etter control of their own data, is intended to prevent fragmentatio n in

the way personal data protection is implemented across the Union. The proposed regulation would

essentially create a single, unified law that applies to all 27 member states. It sets forth a new

legal regime which would foster protection for individuals based on a complete compliance

program companies must demonstrate to fulfill.

© 2012 Rosario Imperiali. Published by JICLT. All rights reserved.

1. Synthesis

The proposed EU Regulation on the protection of individuals with regard to the processing of personal data and

on the free movement of such data (General Data Protection Re gulation)

1

aims to introduce in the management

aspect a legal model so that the use of personal data is h ighly pro tected. The regulatory ac tion, entrusted at a

future EU Regulation with direct effect in Member States, requires the ado ption of a model of management and

control, where you can see the appeal to the cycle of continuous improvement, already present in quality

processes.

The data protection compliance program is conceived by the combined reading of the following provisions of

the proposed Regulation:

Procedures and mechanisms for exercising the rights of the data subject

Article 12 obliges the controller to provide procedures and mechanism for exercising the data subject's rights,

including means for electronic requests, requiring response to the data subject's request within a defined

deadline, and the motivation of refusals.

Responsibility of the controller

Article 22 takes account of the debate on a "principle of accountabilit y" and describes in detail the obligation of

1

2012/0011 (COD)