The application perimeter of the accountability principle is not that of merely demonstrating what, if anything, the data controller claims in terms of GDPR compliance; in fact, accountability consists of a twofold obligation:
- Comply with the general principles (“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (of Article 5)” and
- To be able to prove it (to this effect, CJEU c-340/21, para. 49).
Compliance obligation
The scope of the accountability principle – consisting primarily of the obligation to comply – is specified by the GDPR itself and additional data protection regulations. In particular, by:
- Directive 95/46/EC (Art. 6.2) which already stipulated that “It shall be for the controller to ensure that paragraph 1 is complied with. (i.e., the general principles, ed.)“
- Article 24, GDPR, which states that “the controller shall implement appropriate technical and organizational measures to ensure, and be able to demonstrate, that processing is carried out in accordance with this Regulation“
- Article 4, EUDPR (Regulation 2018/1725) which states “The data controller is responsible for compliance with paragraph 1 (i.e. the general principles, ed.) and able to prove it (‘accountability’).“
- Article 10.1 of Convention 108+ which states «Each Party shall provide that controllers and, where applicable, processors, take all appropriate measures to comply with the obligations of this Convention and be able to demonstrate (…), that the data processing under their control is in compliance with the provisions of this Convention.»
- Article 24 of the OECD Guidelines according to which, in order to implement accountability the data controller should:
a) Have in place a privacy management program that:
- gives effect to the Guidelines for all personal data under its control;
- is tailored to the structure, scale, volume and sensitivity of its operations;
- provides adequate safeguards based on privacy risk assessment;
- is integrated into its governance structure and includes internal control mechanisms;
- includes plans for responding to questions and incidents;
- is updated in light of ongoing monitoring and periodic evaluation;
b) Be prepared to demonstrate the adequacy of its privacy management program, particularly at the request of a privacy enforcement authority or other entity responsible for compliance with adherence to a code of conduct or similar agreement that gives binding effect to the guidelines.