Accountability / responsibility

The accountability principle is one of the main principles relating to the processing of personal data.

This principle, already indirectly enshrined in Directive 95/46/EC, is now expressly provided for by the GDPR.

It requires data controllers and processors to ensure that all the principles relating to the processing of personal data are complied with, in particular by implementing the most appropriate and adequate technical and organizational measures for each processing operation.

Players can adopt a body of policies relating to data protection and IT security (confidentiality policy, IT charter, etc.) but also train and raise the awareness of their employees who handle personal data.

The principle of accountability also requires that those involved in processing be able to demonstrate compliance with all the principles relating to the processing of personal data, which is essential in the event of an investigation by a supervisory authority, in particular by providing adequate and up-to-date documentation relating to the processing carried out (register of processing activities, register of breaches, privacy impact analysis, Security Assurance Plan, prior consultations, etc.).

Taking full responsibility for processing often provides a competitive advantage: accountability is an opportunity to show the public that respect for their privacy is a priority, and thus develop or maintain a relationship of trust.

To maintain accountability over time and thus develop a culture of data protection, internal mechanisms or organizational changes may be necessary.

The appointment of a Data Protection Officer, mandatory in certain circumstances, can also be part of this logic.

Membership in a code of conduct or certification can demonstrate compliance with the principle of accountability but will in no way reduce the responsibility of the responsible for the treatment or the subcontractors who must always be able to demonstrate at all times that they are complying with the principles relating to the processing of personal data.

Failure to comply with the accountability/responsibility principle, or to demonstrate compliance, can result in very heavy sanctions by the supervisory authorities.

GDPR Point

“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)“

Article 5(2) of the GDPR

“The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established.”

Recital 74 of the GDPR

Point of jurisprudence

The Italian authority fined Wind €16,729,600 for “failing to demonstrate compliance with the rules of the processing operations carried out and the deletion of the measures taken, as required by Article 5(2) of the Regulation”.

Garante per la protezione dei dati personali, July 9, 2020, N°9435753

The Bouchara Law firm assists you in particular in :

Making your organization GDPR compliant;
The drafting of data protection policies (privacy policy, computer charter …);
Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
Obtaining certifications and adhering to codes of conduct;
The study of the legal feasibility of the implementation of a new personal data processing;
The drafting and transmission of your codes of conduct to the CNIL for approval;
Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
Drafting and negotiating your data processing agreements (DPA);
Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
Training and awareness of your employees.