The accountability principle

The GDPR introduces the accountability principle (see Article 5(2) in conjunction with Articles 24 and 32 of the GDPR).

In accordance with the accountability principle, the controller is responsible for, and must be able to demonstrate compliance with, the personal data processing principles established in Article 5(1) of the GDPR. A new compliance model has been adopted in conformity with the GDPR, the key point of which is the accountability principle: the controller is obliged to design, implement and generally take the necessary measures and adopt policies to ensure that data are processed in accordance with the relevant legislative provisions. In addition, the controller is charged with a further task of proving at any time compliance with the principles of Article 5(1) GDPR. Accountability is, therefore, a mechanism that ensures compliance with the principles relating to processing of personal data. Furthermore, the controller is obliged, according to the accountability principle, to choose the appropriate legal basis and to legally substantiate a processing carried out in accordance with the legal bases provided for by the GDPR and national data protection law.

Thus, it is the obligation of the controller to take the necessary measures in order to comply with the requirements of the GDPR, as well as to be able to demonstrate such compliance at any time, without the need for the supervisory authority to make specific enquiries and requests to assess conformity, while exercising its powers.

The introduction of the accountability principle shifts the “burden of proof”, in terms of lawfulness of the processing and compliance with the GDPR, from the supervisory authorities to the controllers or processors themselves.

The GDPR provides controllers/processors with a set of regulatory methods and tools for this purpose, such as:

  • record-keeping of processing activities
  • implementation of security measures
  • data protection impact assessment
  • prior consultation and cooperation with the supervisory authority
  • designation of a data protection officer
  • compliance with the data breach notification obligation
  • adoption of codes of conduct and certification mechanisms, seals and marks.

It should be noted that appropriate technical and organisational measures implemented by the controller/processor for the purposes of accountability are taken into account by the supervisory authority when it decides on the imposition of an administrative fine, as well as on the amount thereof.