1 Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational...

Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

Adherence to approved codes of conduct as referred to in  Article 40  or approved certification mechanisms as referred to in  Article 42  may be used as an element by which to demonstrate compliance with the obligations of the controller.