Accountability under the GDPR: Six measures for compliance

What does accountability mean under Article 5(2) of the GDPR?

It refers to the obligation of controllers and processors to demonstrate their compliance with the GDPR's principles when processing personal data. Alongside the obligation to comply with and implement the GDPR, there is also a requirement to provide evidence and documentation.

What exactly does accountability entail?

At the request of a supervisory authority, evidence must be provided that the principles of Article 5(1) of the GDPR are being complied with, and that the processing of personal data is carried out in accordance with the GDPR.

Specifically, the accountability requirement stipulates that controllers and processors must comply with the data processing principles.

• Lawfulness
• Transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity

All aspects of data processing must be documented. In particular:

• the purposes of processing
• the categories of data processed
• the recipients
• the retention periods
• the security measures taken

Technical and organisational measures (TOM) must also be implemented to ensure the security of the processed data and to prevent or respond appropriately to data protection breaches.

Who is accountable?

According to Article 5(2) of the GDPR, accountability lies with the controllers, but not with the processors. According to Article 4(7) of the GDPR, a controller is defined as any natural or legal person, public authority, agency or other body that determines the purposes and means of processing personal data, either alone or jointly with others.

Processors are also indirectly affected by the accountability requirement. According to Art. 4, No. 8 of the GDPR, a processor is any natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller and is bound by instructions in this respect.

It should be emphasised at this point that the controller cannot evade its responsibility by commissioning a processor. This means that the controller must ensure that the principles set out in Art. 5(1) GDPR are complied with in the context of commissioned processing. Compliance with these principles must also be demonstrated when commissioning a processor.

The six most important measures for fulfilling accountability

To fulfil the accountability requirements under Article 5(2) of the GDPR, it is necessary to implement various measures to ensure compliance with the GDPR's principles when processing personal data. The following important measures should be taken by organisations in particular:

1. Documentation of data processing

Data controllers and processors must document all aspects of their data processing activities, including the purposes, categories of data processed, recipients, retention periods and security measures. This documentation serves as evidence of compliance with the GDPR.

2. Data protection impact assessment (DPIA)

A DPIA must be carried out for processing operations likely to pose a high risk to individuals' rights and freedoms. This analysis helps to identify and mitigate potential data protection risks.

3. Technical and organisational measures (TOM)

Appropriate security measures must be implemented to safeguard personal data from unauthorised access, loss or misuse. These include access controls, encryption, regular security audits and employee training.

4. Contracts with processors

When service providers process personal data on behalf of others, contracts should be concluded that clearly regulate data protection obligations and responsibilities – so-called processing agreements.

5. Documentation of data breaches and incidents

An effective procedure for reporting, investigating, notifying and documenting data breaches should be established to ensure they are handled appropriately.

6. Cooperation with supervisory authorities

In the event of inquiries or audits by supervisory authorities, organisations should cooperate and be transparent in order to demonstrate compliance with the GDPR.

What are the consequences of violating accountability requirements?

Substantial fines may be imposed. Supervisory authorities may impose a fine of up to EUR 20 million or, in the case of a company, up to 4% of its total worldwide annual turnover in the previous financial year, in addition to or instead of exercising their other remedial powers, in the event of violations.

In its judgment of 4 May 2023 (Ref. C-60/22), the ECJ ruled that a lack of agreement on joint responsibility under Art. 26 GDPR, or an incomplete or missing record of processing activities (RPA) under Art. 30 GDPR does not render the processing unlawful, since such a lack ultimately does not prove that the fundamental rights and freedoms of the data subject have been violated. Consequently, a breach of accountability does not necessarily render the processing unlawful. Nevertheless, such breaches are subject to fines.

A prominent example: The Irish Data Protection Authority imposed a fine of €17 million on Meta Platforms Ireland Limited. The company was unable to demonstrate the security measures it had implemented in response to twelve data breaches to protect the personal data of EU users. The authority considered this to be a breach of accountability.

Why is professional advice useful in fulfilling accountability requirements?

We implement measures to ensure compliance with accountability requirements in practice. To this end, we conduct a detailed inventory of your data processing procedures and develop customised technical and organisational measures that meet legal requirements and can be efficiently integrated into your everyday business operations.

We continuously monitor the implementation of GDPR requirements, update data protection impact assessments and optimise contract clauses. In the event of a data protection violation, we will guide you safely through the reporting process and support you in implementing corrective measures. This way, you can be sure that you always meet all accountability requirements, allowing you to focus fully on your core business.