ENFORCEMENT BY THE DATA CONTROLLER

The data controller carries a limited number of enforcement obligations, but they are very important in their own right. These concern transborder data flows and the use of data processors.

Transborder data flows

If the data controller wishes to transfer data to a country outside the EEA, it needs to consider the adequacy test, bearing in mind that transfers to non-adequate countries are not allowed unless an exemption applies.

Where the data controller takes advantage of model contractual clauses or the BCR mechanisms to legitimize transfers, it acquires obligations that can be fairly categorized as being akin to enforcement obligations. Taking BCR as an example, the multinational organization needs to show that the rules are binding within the organization as a whole. This requires the organization to enforce the rules within its group, because BCR contain a self-regulatory obligation.

The use of data processors

The seventh data protection principle requires data controllers to take ‘appropriate technical and organizational measures’ against ‘unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’. The interpretation within Schedule 1, Part II identifies a series of obligations that the data controller carries in respect of the choice of data processor, which effectively amount to enforcement mechanisms. In appropriate cases the seventh data protection principle will require the data controller to audit the data processor, an activity that many people consider to be synonymous with enforcement.