Translating GDPR obligations into operational frameworks

1. A practice-oriented approach to GDPR accountability

Within the framework of Regulation (EU) 2016/679 (“GDPR”), compliance is no longer limited to the formal adoption of rules, but requires controllers to demonstrate, in a concrete and documented manner, the effective implementation of data protection principles. The accountability principle (Art. 5(2) GDPR) lies at the core of this approach, imposing on organizations the need to adopt structured measures capable of ensuring and evidencing compliance.

2. Privacy procedures as organizational measures of accountability

The adoption of internal privacy procedures constitutes a fundamental organizational measure through which controllers implement the accountability principle (Arts. 5(2) and 24 GDPR). These procedures serve the purpose of translating regulatory requirements into structured internal rules, ensuring consistency, traceability, and effective governance of processing activities.

From a compliance perspective, drafting efficient procedures requires not only identifying the applicable legal obligations, but also defining clear roles, responsibilities, and information flows within the organization. Properly designed procedures allow the controller to prevent and manage risks, as well as to demonstrate the existence of an internal control framework.

Against this backdrop, the first module of the Privacy Labs focuses on the practical definition of the structure and content of privacy procedures, with reference to key areas such as data breach management, handling of data subjects’ rights, third-party management, and data retention policies. The workshop is aimed at providing participants with the skills to design GDPR-compliant procedures, identifying objectives, operational steps, and responsibilities in line with an accountability-based approach.

3. The record of processing activities as a core compliance tool

The record of processing activities, provided for by Art. 30 GDPR, represents one of the main documentation obligations imposed on controllers and processors. Its purpose is to offer a clear and structured overview of processing activities, enabling both supervisory authorities and organizations themselves to verify compliance and monitor data flows.

Beyond its formal dimension, the record plays a crucial role within the accountability framework, as it supports risk assessments, DPIAs, and overall data governance. To be effective, it must accurately reflect the actual processing operations carried out and be continuously updated considering any relevant changes.

Having said that, the second module of the Privacy Labs addresses both the mandatory elements required by the GDPR and additional “nice to have” practices that enhance the usability and completeness of the record. Participants are guided through the process of compiling and maintaining the record, with the objective of ensuring its accuracy, consistency, and alignment with the applicable legal requirements.

4. Transparency obligations and the function of the privacy notice

Transparency is a core principle of the GDPR (Arts. 12–14), requiring controllers to provide data subjects with clear and accessible information regarding the processing of their personal data. In this regard, the provision of privacy notices to data subjects constitutes the primary instrument through which this obligation is fulfilled, enabling individuals to understand the purposes and modalities of processing and to exercise their rights effectively.

From a regulatory standpoint, the purpose of the privacy notice is therefore twofold: on the one hand, to ensure fairness and awareness for data subjects; on the other, to allow the controller to demonstrate compliance with its information obligations, which directly affect the lawfulness of processing.

Drafting an effective notice requires not only including all mandatory elements, but also ensuring clarity, transparency, and accessibility, considering the context of the processing and the characteristics of the recipients.

Within this framework, the third module of the Privacy Labs explores the criteria for drafting GDPR-compliant privacy notices, with specific reference to the elements required under Articles 13 and 14, as well as to best practices such as layered notices and notices tailored to specific categories of data subjects (including minors). The workshop aims to provide participants with the skills necessary to structure and deliver privacy notices that are both compliant and effective.

5. Legitimate interest and the structured balancing test

Pursuant to Art. 6(1)(f) GDPR, the use of legitimate interest as a legal basis requires the controller to verify that such interest is not overridden by the rights and freedoms of data subjects. This entails a prior assessment based on a structured balancing test, which, although not expressly mandated, is widely recognized as a key accountability tool and is typically documented through a Legitimate Interest Assessment (LIA).

The purpose of the LIA is to demonstrate that the controller has assessed the lawfulness, necessity, and proportionality of the processing, considering the context, the nature of the data, and the reasonable expectations of data subjects.

In the light of this, the fourth module of the Privacy Labs focuses on the methodological steps required to conduct such an assessment, including the identification of cases in which an LIA is necessary, and the analysis of templates and guidance provided by supervisory authorities. Participants are guided through the purpose, necessity, and balancing tests, with the objective of enabling them to carry out and document a compliant and defensible LIA.

6. Risk-based approach and data protection impact assessments

The GDPR adopts a risk-based approach, requiring controllers to assess and mitigate the risks that processing activities may pose to the rights and freedoms of individuals. In cases where processing is likely to result in a high risk, Art. 35 imposes the obligation to carry out a Data Protection Impact Assessment (DPIA).

The purpose of the DPIA is to identify, analyze, and mitigate risks in a structured manner prior to the commencement of processing, as well as to demonstrate compliance with GDPR principles. More generally, risk assessments constitute an essential component of the accountability framework, supporting the selection of appropriate technical and organizational measures.

The fifth module of the Privacy Labs examines the criteria for determining whether a DPIA is required, in light of national and EU guidance, and provides an overview of methodologies and templates for conducting such assessments. Emphasis is placed on the identification of risks, their evaluation in terms of likelihood and severity, and the definition of mitigation measures. The practical session enables participants to simulate the performance of a DPIA, ensuring consistency between processing description, risk analysis, and safeguards.

Conclusion

By combining regulatory analysis with practical application, the Privacy Labs enables participants to translate GDPR obligations into structured and sustainable compliance frameworks. Its modular design supports the development of an operational, documented, and risk-aware approach to data protection, aligned with both regulatory requirements and best practices.

This article is authored by:

Gabriella D’Amico: Attorney at Law (Italy), Associate Partner, Rödl Italy

Tommaso Mauri: Attorney at Law (Italy), Associate, Rödl Italy

Beatrice Grassetto: Degree in Law, Junior Associate, Rödl Italy