This thesis analyses the liability ofdata controllers and data processors under the General Data Protection Regulation. The purpose of the thesis is to investigate whether current legislation is efficient, and to propose solutions to minimize the total cost while maintaining the same level of security. The starting point of the analysis is the requirement of the data controller to be able to demonstrate compliance with GDPR, cf. art. 5, section 2 and art. 24, section 1.
In relation to processing activities that are ongoing the data controller should be able to demonstrate compliance of the data processors. This can be achieved with inspections and audits, cf. art.28, section 3, point h. The present legal position is not entirely clear, as to when and if a data controller is obligated to initiate an inspection. However, given the present legal sources it is concluded that the data controller is obligated to initiate inspections of the data processors after a period of time - The risk of the processing activity is paramount when assessing, how often inspections should be conducted. The economic analysis suggests that the current legislation is inefficient as the mandatory inspections do not create deterrence-effect in other games. However, inspection from the national authorities do create such deterrence-effect. It is thus concluded that the data controller should only conduct inspections, when the data controller suspects that the processor is incompliant. The integrated analysis investigates realistic initiatives that are more efficient than current legislation. There are namely two important aspects in achieving efficiency under the current regulation: Cooperation between the member state countries and implementing a less restrictive audit-rule together with random inspections from the national authorities.
|Educations||MSc in Commercial Law, (Graduate Programme) Final Thesis|
|Number of pages||83|