Introduction
The principle of accountability, also known as proactive responsibility, is the obligation established by the General Data Protection Regulation (GDPR) under which the data controller must not only comply with data protection regulations but also be able to demonstrate such compliance through verifiable documentation, technical measures, and organizational measures.
In many cases, the origin of the sanctions lies in formal non-compliance with current data protection regulations, for example, in the lack of legitimacy for data processing. There are other occasions in which the origin lies in errors in data management, which seriously compromise the rights of users from the point of view of privacy. For example, when providing information to third parties without authorization.
Today, in our new content of the series dedicated to the GDPR, we are going to talk about the principle of accountability.
Protect your organization’s reputational and financial assets by implementing automated protocols that mitigate any legal risks or penalties related to data management, thanks to our regulatory compliance solutions.
The importance of the principle of accountability
It is true that nowadays, with the development of cybercrime and its technological specialization, it is difficult to prevent a security breach from turning into a leak or theft of customer data. For this reason, the General Data Protection Regulation (GDPR) obliges the data controller to use all possible means to minimize its impact on the organization. So much so that when a breach occurs, it is mandatory to notify the supervisory authorities within a maximum period of 72 hours. This is part of the principle of accountability, also called proactive responsibility.
Accountability is understood as the ability of the responsible party to comply (and demonstrate that it does so) with data protection regulations. Some of the companies recently sanctioned by the AEPD, according to the agency’s own pronouncement, did not respect this principle. For example, one of the fines imposed on a company was due to the failure to update the data of a client, which resulted in its inclusion in a file of non-payments. In other cases of sanctioned companies, the reason was the lack of a database that would allow their data to be processed with guarantees. Or, again, their inability to prove that the client or user of the service gave his consent. In these cases, the result was a breach of Article 7.1 of the GDPR:
1. Where the processing is based on the data subject’s consent, the controller shall be able to demonstrate that the data subject consented to the processing of his or her personal data.
In any of the cases mentioned above, a lack of compliance with the principle of proactive responsibility of the responsible party is detected, thus showing that data management does not comply with the requirements of the regulation.
| Accountability Requirement | Practical Description | Legal Basis: GDPR |
|---|---|---|
| Record of Processing Activities | Document all data processing activities carried out by the organization | Art. 30 |
| Impact Assessment (EIPD) | Conduct a preliminary risk analysis for high-risk processing operations | Art. 35 |
| Privacy by Design and Default | Incorporating data protection into the design of processes and systems | Art. 25 |
| Contracts with Data Processors | Document relationships with vendors that process data on behalf of the data controller | Art. 28 |
| Notification of Security Breaches | Report any breach affecting individuals’ rights to the AEPD within 72 hours | Art. 33 |
| Proof of Consent | Demonstrate that the data subject provided valid and informed consent | Art. 7.1 |
| Appointment of a DPO (where applicable) | Appoint a Data Protection Officer in organizations subject to this requirement | Art. 37 |
Selection of effective tools for data management
It is fair to say that data management is not simple because of its volume and complexity. In many cases it will also depend on other factors such as, for example, the necessary investment (economic and human) to manage them in accordance with the law.
However, today there are agile tools that make it possible to centralize and safeguard users’ consents throughout the life cycle of their contractual relationship, including the possibility for the interested party to withdraw their authorization at any time, and with guarantees.
In addition, these tools comply with the principles of privacy by design and default, which incorporate the highest security measures and privacy standards for customer data. They also help to prove, if necessary, that the data controller has obtained it legitimately.
In practice, a consent management platform (CMP) integrated with communication channels—email, SMS, WhatsApp—allows organizations to centralize consent records, manage their validity, track withdrawals, and generate auditable evidence in real time. When that platform is operated by a Qualified Trust Service Provider (QTSP) under eIDAS, the evidence generated is presumed to be legally valid throughout the EU, which significantly strengthens the data controller’s position before the AEPD.
Avoid costly penalties and data audits in your campaigns and communications by ensuring that permission collection is 100% auditable and transparent in accordance with GDPR standards and consent management practices.
How does a qualified trusted service provider help you?
Many of the errors committed in the processing of data are due to a failure to obtain the consent of the data subjects or their inability to adequately safeguard it and be able to demonstrate it accordingly.
In this sense, a qualified trusted service provider, such as MailComms Group, certifies that the communication of consent has occurred correctly and can provide all the traceability of sending and receiving your consent through any channel: email, SMS, WhatsApp, etc. In this way, the data controller will have the opportunity to prove that the consent has been obtained correctly. This way, it will be able to provide it as evidence in the event of a claim by the customer or even in the allegations procedure in the event of a claim by the AEPD (Spanish Data Protection Agency).
MailComms Group also makes it easier for accountability officers to comply with regulations by being a certified provider of ISO 27001 (Information Security Management System) and ISO 27701 (Privacy Information Management System).
This latest standard is an extension of ISO 27001 and 27002, which address specific requirements that will ensure that organizations have comprehensive and universally applicable data governance that is directly aligned with the legislative requirements of their jurisdictions. Hence the importance of selecting both solutions and vendors that ensure 360º security around these ISOs and their prominent concepts: information security and privacy.
Improve navigation on your websites and optimize the user experience for all your users, regardless of their abilities, by staying ahead of the inclusive design requirements set forth in the new European Accessibility Act.
| The Need for Accountability | How does a PSCC like MailComms address this? |
|---|---|
| Demonstrate that consent was obtained properly | Certification of the sending, receipt, and content of the consent with full traceability by channel (email, SMS, WhatsApp) |
| Verify the validity of consent with the AEPD | The PSCC generates electronic evidence with probative value under eIDAS, with a legal presumption of authenticity |
| Management of Consent Withdrawals | Certified record of the withdrawal, including the date, channel, and exact content of the communication |
| Compliance with data breach notification within 72 hours | Traceability of access and communications to facilitate the identification and scope of the breach |
| Demonstrating Information Security (ISO 27001) | MailComms Group is certified to ISO 27001 (security) and ISO 27701 (privacy), demonstrating compliance with the required management standards |
If your organization operates in sectors such as banking, insurance, utilities, or telecommunications, demonstrating accountability is not a one-time task but an ongoing process that must be supported by certified evidence. At MailComms Group, as an ISO 27001- and ISO 27701-certified Qualified Trust Service Provider (QTSP), we help you manage the entire consent cycle — collection, storage, withdrawal, and demonstration — with full legal validity under eIDAS and auditability by the AEPD at any time.
Frequently Asked Questions
What is the principle of accountability under the GDPR?
The principle of accountability, or proactive responsibility, is the obligation established in Article 5.2 of the GDPR, under which the data controller must not only comply with data protection principles but also be able to demonstrate such compliance through documentation and verifiable measures. It implies an active approach: it is not enough simply to avoid non-compliance; one must be able to prove compliance.
What specific obligations does accountability entail for a company?
Among the main obligations are: maintaining a record of processing activities (Art. 30), conducting impact assessments for high-risk processing operations (Art. 35), implementing privacy by design and by default (Art. 25), documenting contracts with data processors (Art. 28), notifying the AEPD of data breaches within 72 hours (Art. 33), and being able to demonstrate at any time that the data subject’s consent was validly obtained (Art. 7.1).
What penalties can the AEPD impose for failure to comply with accountability requirements?
Fines can reach up to 10 million euros or 2% of global annual revenue for serious violations, and up to 20 million euros or 4% for very serious violations. The AEPD has recently imposed fines on companies in the banking, insurance, telecommunications, and utilities sectors for violations related to the lack of a legal basis for data processing, improper inclusion in delinquent debtor files, and failure to demonstrate consent.
How can a company demonstrate that it obtained consent properly?
Through certified electronic evidence attesting to the sending, receipt, and content of the consent notice, including a timestamp and traceability of the channel used. When this evidence is generated by a Qualified Trust Service Provider (QTSP) under eIDAS, it is presumed to be legally valid throughout the EU, which places the data controller in a position of evidentiary advantage in the event of any claim or proceeding by the AEPD.
What is the difference between ISO 27001 and ISO 27701 in the context of the GDPR?
ISO 27001 certifies an organization’s Information Security Management System (ISMS), attesting that it has technical and organizational controls in place to protect information. ISO 27701 is a specific extension of ISO 27001 focused on privacy: it extends the ISMS to include personal data governance and GDPR requirements, making it easier to demonstrate compliance with the principle of accountability.