The term “adequacy” and other words with the same root are found 113 times in the Italian text of the GDPR.
Adequacy is synonymous with “proportionality” i.e., being in proper relation to the element of comparison.
Adequacy in the GDPR is not a feature present in the material world but is a circumstance that can be inferred from an objective assessment of proportionality cast in the specific context, taking into account certain criteria [see recital (76)]. This assessment must be reviewed regularly and whenever the elements that were the bases for the judgment have changed (Art. 24, last sentence, GDPR).
The adequacy principle, in the GDPR, mainly refers to:
- The technical-organizational security measures
- The safeguards for the defense of the fundamental rights and freedoms of data subjects.
Adequacy of the measures
In principle, adequacy incorporates an aim that the legislature intends to achieve, for example, technical-organizational security measures are appropriate (proportionate) to the risk in order to achieve proper (suitable) security. The GDPR legislator expresses this concept in the wording of Article 32 when it prescribes, “(…) the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (…).”
At first glance, the wording would seem repetitive (i.e., ” appropriate measures for appropriate security”); instead, it is intended to express a precise concept: security measures must be appropriate per se, i.e., be inherently suitable to meet certain technical-organizational needs and, in addition, must also ensure, in the context of reference, a level of security proportionate to the risk.
For example, the adoption of an authentication system must be appropriate (suitable), per se, to ascertain the identity of the user requesting access to a computer system or software platform, but it must also be able to ensure (target) a level of security appropriate (proportionate) to the risk present in the specific circumstances of the case. This second profile obliges the controller and the processor to identify the level of strength of the technical-organizational measure, which is appropriate with the aim of achieving a level of security proportionate to the risk. The close correlation between
- appropriate security measures, and
- the level of risk identified
implies that as the risk increases, automatically the increase in the rate of strength of the intended security measures must correspond. Measures that are abstractly suitable but not proportionate to the actual risk do not comply with the principle of adequacy.