Skip to main content
Datenschutz / DSGVO

Accountability

The obligation of the controller to not only comply with all GDPR principles, but to be able to actively demonstrate that compliance — Art. 5(2) GDPR.

Accountability is one of the seven core principles of the GDPR and is enshrined in Art. 5(2) GDPR. It means that the controller is not only responsible for complying with the other principles of Art. 5(1) — lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality — but must also be able to actively demonstrate that compliance. The burden of proof lies with the controller, not the supervisory authority.

In concrete terms, organisations must design and document their data protection processes in such a way that, in the event of a supervisory authority inspection or a complaint from a data subject, they can provide complete evidence of GDPR compliance. The key instruments of accountability include the Record of Processing Activities (Art. 30 GDPR), documented Data Protection Impact Assessments (Art. 35 GDPR), written Data Processing Agreements (Art. 28 GDPR), records of consent, and evidence of staff training.

For compliance officers, accountability is the overarching guiding principle for all data protection work: it is not enough to act in a GDPR-compliant manner — that conduct must also be provable. A well-maintained data protection management system that comprehensively documents all measures, decisions, and reviews is therefore not only a legal requirement but also an effective tool for risk minimisation and for demonstrating trustworthiness to customers and business partners.

Legal Basis

Art. 5(2) GDPR

Practical Example

The competent data protection authority announces an unannounced inspection of your organisation and requests, within 14 days, the ROPA, an overview of all DPAs, evidence of staff training, and documentation of any DPIAs conducted. As compliance officer, you are able to point to a fully maintained data protection management system: all requested documents are current, complete, and can be compiled within hours. Accountability enables you to provide the authority with a structured body of evidence within the deadline, demonstrating the seriousness of your data protection efforts.

FAQ

The accountability principle (Art. 5(2) GDPR) requires the controller not only to ensure compliance with all GDPR principles, but to be able to actively demonstrate that compliance. The burden of proof lies with the controller, not the supervisory authority.
Through comprehensive documentation of all data protection measures: an up-to-date ROPA, documented DPIAs, written DPAs, consent records, training evidence, and internal data protection policies. A data protection management system greatly facilitates the structured maintenance of these records.
If an organisation cannot demonstrate GDPR compliance when requested by a supervisory authority, fines may be imposed even if the underlying processing was lawful. Missing documentation is treated as a standalone violation and can be penalised with fines of up to €10 million or 2% of annual global turnover.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Record of Processing Activities (ROPA) Data Protection Officer (DPO) Technical and Organisational Measures (TOMs) Audit Compliance Management System (CMS)
Back to Glossary