PART 3Law enforcement processing

CHAPTER 4Controller and processor

General obligations

56General obligations of the controller

(1)Each controller must implement appropriate technical and organisational measures to ensure, and to be able to demonstrate, that the processing of personal data complies with the requirements of this Part.

(2)Where proportionate in relation to the processing, the measures implemented to comply with the duty under subsection (1) must include appropriate data protection policies.

(3)The technical and organisational measures implemented under subsection (1) must be reviewed and updated where necessary.