Voluntary Undertaking
Definition
A voluntary undertaking is a formal, binding commitment submitted by a data controller or processor to a supervisory authority, typically offered during an investigation or enforcement proceeding. In this voluntary undertaking agreement, the organization acknowledges specific compliance gaps or breaches and proposes a structured corrective action plan to rectify them within a defined timeline. This mechanism serves as a proactive regulatory settlement tool, allowing organizations to demonstrate a good faith effort to resolve issues without necessitating a full adversarial adjudication or prolonged litigation. By engaging in this process, entities often seek a mitigation of penalty, aiming to resolve the matter through constructive remediation rather than punitive fines. Once accepted by the regulator, the undertaking constitutes a bar on further proceedings regarding the specific issues covered, provided the organization strictly adheres to its compliance commitment.
Real-World Examples
remedying Security Gaps
After self-reporting a minor breach caused by outdated encryption protocols, a financial institution submits a voluntary undertaking to the regulator. The organization commits to upgrading its entire cryptographic infrastructure and conducting quarterly security audits for two years. The supervisory authority accepts this compliance commitment, suspending further enforcement action while monitoring the corrective action plan.
Spam Marketing Resolution
Facing complaints about unsolicited marketing emails, an e-commerce company offers a voluntary undertaking agreement to the regulator. They admit to the lack of proper consent management and promise to implement a new opt-in system and delete non-consented data. This good faith effort resolves the inquiry without a significant fine, provided they adhere to the timeline.
A voluntary undertaking is a legally binding agreement in which an organization promises to take specific actions to rectify non-compliance with data protection laws. It is typically submitted to the supervisory authority and may include commitments to stop certain practices, implement new safeguards, strengthen governance, or remediate specific control gaps as part of a regulatory resolution. In practice, organizations often treat the undertaking as a time-bound corrective action plan with assigned owners, milestones, and evidence; WatchDog Security GRC Wiki’s Compliance Center can help track these remediation tasks and map supporting evidence into an exportable package to demonstrate completion.
An organization can typically offer a voluntary undertaking at any stage of a regulatory proceeding, from the initial inquiry to before a final order is passed. It is most effective when offered early, such as when self-reporting a breach or immediately after receiving a notice of inquiry, to demonstrate accountability and a willingness to cooperate.
The primary benefit is the potential mitigation of penalty, as regulators often view the undertaking as a mitigating factor that reduces the need for harsh fines. It also helps in avoiding litigation costs, shortening the duration of investigations, and preserving the organization's reputation by framing the resolution as a proactive compliance commitment rather than a punitive defeat.
While the specific legal terminology varies by jurisdiction, offering a voluntary undertaking generally implies an admission of the factual basis of the non-compliance. The organization usually must acknowledge that a violation or gap occurred to propose a valid corrective action plan, which functions effectively as an admission for the purpose of the settlement.
Yes, the supervisory authority has the discretion to reject a voluntary undertaking if they believe the terms are insufficient to address the harm caused, if the violation is too severe to be settled, or if the organization has a history of repeat offenses. In such cases, the regulator will proceed with standard enforcement action and adjudication.
If an organization fails to adhere to the terms of the voluntary undertaking, it is treated as a separate and often more serious violation. The supervisory authority typically revokes the settlement, reinstates the original proceedings, and may impose significantly higher penalties for the breach of the undertaking itself, viewing it as a failure of good faith.
A successful voluntary undertaking often leads to a reduction or suspension of monetary penalties. By committing to specific remedial measures and bearing the cost of compliance improvements, the organization provides an alternative form of accountability that the regulator may accept in lieu of, or as a reduction to, a direct financial fine.
In many jurisdictions, voluntary undertakings are made public to ensure transparency and deter other entities from similar non-compliance. The supervisory authority may publish the terms of the agreement on their website, detailing the nature of the breach and the steps the organization has committed to taking to fix it.
References & Resources
Why a Policy Manager is Essential for Business: Discover Watchdog Security's Free Solution and Resources
WatchDog Security
Data Protection Regulatory Action Policy (includes undertakings as a negotiated resolution tool)
Information Commissioner's Office (UK)
Enforceable undertakings
Office of the Australian Information Commissioner (OAIC)
Enforcement of PIPEDA (includes compliance agreements as a corrective, settlement-style mechanism)
Office of the Privacy Commissioner of Canada
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
