Article 24 GDPR
Responsibilities of the administrator

1. Taking into account the nature, scope, context and purposes of the processing and the risk of violation of the rights or freedoms of natural persons of varying probability and severity, the controller shall implement appropriate technical and organizational measures for the processing to be carried out in accordance with this Regulation and to be able to demonstrate this. These measures shall be reviewed and updated as necessary.

2. If proportionate to the processing activities, the measures referred to in paragraph 1 shall include implementation by the controller of appropriate data protection policies.

3. The use of approved codes of conduct referred to in Article 40 or an approved certification mechanism referred to in Article 42 may be used as a factor in determining whether the controller has complied with its obligations.