Accountability
Article 5(2) GDPR — you must demonstrate compliance
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
The controller is not only required to comply with the GDPR — the controller must also be able to demonstrate this compliance (reversal of burden of proof).
What is accountability?
Mandatory documents for accountability:
- Records of processing activities (Article 30)
- DPAs (Article 28)
- DPIAs (Article 35) where required
- TOM documentation (Article 32)
- Training records
- Data breach logbook (Article 33(5))
- Consent logbook
Practical example
The supervisory authority asks, after a data breach, whether you reported it in time. You state 'yes, on day X'. The burden of proof lies with you — you must therefore produce the logbook and the email trail.
Frequently asked questions
What happens without evidence?
A presumption of a violation arises (BVerwG 6 C 6.20). A fine may be imposed under Article 83(4)(a) — up to 10 million.
How long should records be kept?
As long as proceedings remain possible (statute of limitations: 3 years; AGG special cases: 6 months).
Is an Excel sheet sufficient?
Yes, provided that it is complete, dated, and verifiable.