With the introduction of the General Data Protection Regulation (GDPR), organizations have a greater responsibility to protect the personal data of data subjects. The introduction of this ‘accountability’ of organizations means that they can be held accountable for correctly processing and storing personal data. The central administration is the ‘responsible’ organization and is accountable to a European privacy supervisor.
GDPR: What is the meaning of accountability?
- Meaning of accountability
- Which organization is the responsible organization?
- Central administration
- What is a European privacy supervisor?
- Leading supervisor
- Exception: policy and decision-making in another location
Meaning of accountability
With the introduction of the GDPR, organizations that process personal data have been given more responsibilities to protect the personal data of data subjects. This translates into the so-called accountability obligation: the obligation of organizations that process personal data to demonstrate to a European privacy supervisor that they act in accordance with the regulations of the GDPR. Accountability is an extension of the responsibilities and duties of organizations with the aim of better protecting the right to privacy of data subjects. Organizations may only process personal data if there is a basis for doing so that can be found in one of the GDPR principles.
Which organization is the responsible organization?
In a number of cases, a company or organization has several organizations spread across several Member States. One of these organizations is charged with so-called accountability. This organization is called the ‘responsible’ organization. The responsible organization, the organization responsible for the processing of personal data, is the organization that determines the purposes and means of the processing of personal data (the central administration). A ‘responsible person’ is supervised by one and the same European privacy supervisor.
Central administration
The organization where the central administration is located is the organization that determines the purpose and means of processing personal data. This is the organization that can be regarded as the responsible organization for processing personal data and must be accountable for this to one and the same European privacy supervisor.
What is a European privacy supervisor?
European privacy regulators check whether organizations correctly implement and comply with the GDPR regulations. From May 25, 2018, European privacy regulators can impose a fine on an organization if it appears that this organization does not comply with (one of) the regulations of the GDPR. The fine amount can amount to millions of euros. Every organization (or company) has only one and the same privacy supervisor. This is called the ‘lead supervisor’.
European privacy regulators have two important tasks :
- Monitor organizations by checking whether they process personal data as prescribed by the GDPR.
- Check whether organizations process and store personal data correctly in accordance with the GDPR.
Leading supervisor
Normally, the lead supervisor of an organization is the supervisor of the Member State where the head office of an organization is located, i.e. where the central administration is located. The organization where the central administration takes place can be regarded as the responsible organization.
Exception: policy and decision-making in another location
In the event that an organization’s policy and decision-making regarding personal data processing takes place in an establishment other than the establishment where the central administration is located, and this establishment is located in an EU Member State other than the Member State of the central administration, then there is an exception. In that case, the supervisory authority of the Member State where the policy and decision-making on the processing of personal data takes place can be regarded as the designated supervisory authority .
read more
- GDPR: the principles for processing personal data
- General Data Protection Regulation (GDPR) in short