The General Data Protection Regulation (AVG) puts the onus on you as an organization to demonstrate compliance with privacy rules. This is called accountability.
Accountability means, for example, that you must be able to demonstrate that a processing of personal data complies with the key principles of the AVG. You must also be able to show that you have taken appropriate technical and organizational measures taken to secure the personal data.
The AVG lists a number of mandatory measures you can use to meet your accountability requirements. In addition to the mandatory measures, you can choose to take additional measures.
The mandatory measures specifically listed by the AVG are:
Maintain a processing record.
Conduct a data protection impact assessment (DPIA) for data processing operations with a high privacy risk.
Keep a data breach register. In it, you also include the data breaches that you are not required to report.
Demonstrating that a data subject actually has given consent for a data processing operation when you require consent for that processing.
Be able to properly justify why you have chosen to appoint or not appoint a data protection officer (FG) when it is unclear whether you are required to appoint an FG.
Creating a privacy statement. Note that this is not the same as a privacy policy.
In addition to the mandatory measures, you may choose to take additional measures that demonstrate your compliance with the requirements of the AVG. For example:
Joining a code of conduct.
Obtaining a particular certificate.
Adopt a specific ICT security policy.
Account for the processing of personal data in your annual report or in a special privacy annual report. Need help? View the Privacy in an annual report.
While these measures are not mandatory, they do help you demonstrate to the AP that you meet the requirements of the AVG. Therefore, we encourage these voluntary measures.
Source: https://www.autoriteitpersoonsgegevens.nl/themas/basis-avg/avg-algemeen/verantwoordingsplicht , accessed February 18, 2025.
