According to Article 5(2) of the GDPR, the controller shall be responsible for, and must be able to demonstrate, compliance with all principles of the GDPR mentioned at Article 5(1). This includes the principle of accountability (see accountability principle in the principles part of these Guidelines).
The accountability principle in the GDPR is risk-based: the higher the risk of data processing to the fundamental rights and freedoms of data subjects, the greater the measures needed to mitigate those risks.[1] The accountability principle is based on several compliance duties for data controllers, including: transparency duties (Articles 12-14); guaranteeing the exercise of data protection rights (Articles 15-22); keeping records of the data processing operations (Article 30); notifying eventual data breaches to a national supervisory authority (Articles 33) and to the data subjects (Article 34); and, in cases of higher risk, hiring a DPO and carrying out a DPIA (Article 35).
| Checklist[2]: Accountability
The controller has documented how undesirable effects of the system or tool are detected, stopped and prevented from reoccurring. The controller has documented all the organization’s measures, and the safeguards implemented, to ensure compliance with the data protection regulation. If data are used for compatible purposes, the controller has adequately documented the performance of the compatibility test. The controller has documented all DPIAs performed, the activities performed by the corresponding DPO and his or her interactions with the corresponding DPAs (if applicable) |
References
1See Articles 24, 25 and 32 of the GDPR, which require controllers to take into account the “risks of varying likelihood and severity for the rights and freedoms of natural persons” when adopting specific data protection measures. ↑
2This checklist has been built on the basis of the EDPB, Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak Adopted on 21 April 2020 ↑