Duty of accountability
The General Data Protection Regulation (GDPR) makes you, as an organisation, responsible for demonstrating compliance with the privacy rules. This is called the duty of accountability.
On this page
What does the duty of accountability mean?
The duty of accountability means, for example, that you must be able to demonstrate that a personal data processing meets the most important principles of the GDPR. You must also be able to demonstrate that you have taken the right technical and organisational measures to secure the personal data.
Note: You are obliged to account for your processing operations if the Dutch Data Protection Authority asks you to do so. Make sure, therefore, that you meet your duty of accountability.
Mandatory and additional measures
The GDPR contains a number of mandatory measures for meeting the duty of accountability. In addition to the mandatory measures, you can choose to take additional measures.
Mandatory measures
The mandatory measures set out in concrete terms in the GDPR are:
- Keeping a processing register.
- Carrying out a data protection impact assessment (DPIA) for data processing operations with a high privacy risk.
- Keeping a data breach register. In this register, you also include the data breaches that you do not have to report.
- Demonstrating that a data subject has actually given consent for a data processing if you need consent for this processing.
- Substantiating properly why you have chosen to appoint or not to appoint a Data Protection Officer (DPO) if it is not clear whether you are obliged to appoint a DPO.
- Drawing up a privacy statement. Note: this is not the same as a privacy policy.
Additional measures
In addition to the mandatory measures, you can choose to take additional measures to demonstrate compliance with the GDPR. For example:
- Joining a code of conduct.
- Obtaining a specific certificate.
- Applying a specific ICT security policy.
- Accounting for the personal data processing in your annual report or in a special privacy annual report. Need help? Take a look at the Guide on privacy in an annual report.
Though these measures are not mandatory, they help you show the Dutch DPA that you meet the requirements of the GDPR. That is why we encourage these voluntary measures.
Drawing up a privacy policy
You are obliged to draw up a privacy policy only if this is proportionate to your processing activities. Whether you are obliged to draw up a privacy policy depends on the concrete circumstances. Such as the nature, size, context and purpose of the data processing.
Hospitals, municipalities, social media companies and trade information agencies, for example, will often be obliged to draw up a privacy policy. Small organisations may also be obliged to draw up a privacy policy.
Note: A privacy policy is not the same as a privacy statement. A privacy statement is always mandatory. Every organisation is obliged to have a privacy statement to provide people with clear information about the personal data that the organisation processes and for what purposes this is done.
Voluntarily drawing up a privacy policy
Are you not obliged to draw up a privacy policy? Then it may be useful to do this all the same. This will help you check if you have taken sufficient measures to protect the personal data of your customers, patients or clients, for example. Besides, it is a way to show your target group as well as the Dutch DPA that you meet the requirements of the GDPR.
Contents of the privacy policy
The GDPR does not contain an exact description of the data that you have to include in your privacy policy. The policy must in any case demonstrate how you meet the requirements of the GDPR. You can show that by including the following information, among other things:
- A description of the categories of personal data that you process.
- A description of the purposes for which you process personal data. And what the legal basis for this processing is.
- How you meet the principles of personal data processing. Such as the obligation not to process more data than necessary (data minimisation).
- Which privacy rights data subjects have and how they can exercise these rights. Such as the right to submit a complaint to the Dutch DPA. But also the right of access, the right to rectification, removal and receipt of all registered data (right to data portability).
- Which organisational and technical measures you have taken to secure the personal data.
- How long you retain the personal data.
Tips for a privacy policy
The Dutch DPA gives 6 tips for drawing up a privacy policy. These are:
- Assess if you are obliged to have a privacy policy.
- Use expertise.
- Record it in 1 document.
- Be concrete.
- Communicate the policy.
- Not mandatory? Nevertheless advisable.
Assess if you are obliged to have a privacy policy
Whether your organisation has to draw up a privacy policy depends on the processing. Assess which data your organisation processes and on what scale. Do you, for example, process special categories of personal data on a large scale? Then you will have to draw up and apply a privacy policy. It is your own responsibility to make this assessment. Do not wait until the Dutch DPA asks you to do this.
Use expertise
Use the expertise in your organisation to arrive at a good privacy policy. The Data Protection Officer (DPO) can play an important role as an adviser and internal supervisor. The privacy policy must meet the requirements of the GDPR and be feasible in practice.
Does your organisation encounter problems with fleshing out the policy? Then you can always ask an external expert for advice on the GDPR standards and on their specific elaboration in your organisation.
Record it in 1 document
Record the privacy policy in 1 document. Avoid fragmentation of information in a privacy statement, a processing register and a privacy policy. Though the information is available in that case, it will be clearer if the privacy policy provides a complete picture.
Be concrete
A professional privacy policy is a concrete translation of the standards from the GDPR to the data processing operations of your organisation. Just repeating standards from the GDPR is not enough.
Communicate the policy
Publication of your privacy policy is not mandatory. But it is advisable. This also makes it clear for data subjects how your organisation handles their personal data.
When publishing the privacy policy, make sure that it does not contain information that malicious persons can take advantage of, such as information about the security.
Not mandatory? Nevertheless advisable.
Is your organisation not obliged to have a privacy policy? Then drawing up a privacy policy is nevertheless advisable. In doing so, you demonstrate that you want to protect the personal data of data subjects.
More information
For more information about the privacy policy, see the Investigation into privacy policies of the Dutch DPA.
Keeping a processing register
The processing register contains information about the personal data that you process. Under the GDPR, drawing up a processing register (GDPR: 'register of processing activities') is often a mandatory measure. Whether you have to draw up a processing register depends on the size of your organisation and the type of data that you process.
Does your organisation have more than 250 employees? Then you are obliged to keep a processing register.
Does your organisation have fewer than 250 employees? Then you have to draw up a processing register if one or more of these situations apply to you:
- The personal data processing is not incidental. Note: In practice, processing operations are hardly ever incidental. Think, for example, about the personal data of employees that you process. Or of your customers, clients, patients or residents.
- You process personal data that entail a high risk for the rights and freedoms of the persons whose personal data you process.
- You process personal data that fall under one or more special categories of personal data. For example: data about health, religion or political preference.
You are free to decide for yourself how you organise the register,but the GDPR prescribes which information you have to include in the processing register as a controller or a processor.
Processing register of controller
The GDPR prescribes that, as a controller, you have to include this information in the register:
Name and contact details
The name and contact details of:
- your organisation or the representative of your organisation;
- any other organisations with which you have jointly determined the purposes of and means for processing (joint controllers);
- the Data Protection Officer (DPO), if you have appointed one;
- any international organisations with which you share personal data.
Purposes
The purposes for which you process the personal data. For example: recruitment and selection of staff, delivery of products or direct marketing.
Tip: It is recommended that you also mention the legal basis for each of your processing operations. You do not have an obligation under the GDPR to do this, but it may help you meet your duty of accountability
Data subjects
A description of the categories of persons whose data you process. For example: persons entitled to benefits, customers or patients.
Personal data
A description of the categories of personal data. Such as the citizen service number (Dutch BSN), name and address details, telephone numbers, camera images or IP addresses.
Retention period
The date on which you have to erase the data (if known).
Recipients
The categories of recipients to which you provide personal data.
Outside the EEA
Do you share the data with a country or an international organisation outside the EEA? Then you have to indicate this in the processing register.
Security
A general description of the technical and organisational measures you have taken for securing the personal data that you process.
Processing register of the processor
Do you process data on the instructions of a controller? For example: as an administrative office or an online data storage service? Then your processing register must contain the following information:
Name and contact details
The name and contact details of:
- your organisation, or the representative of your organisation, or the controller;
- the Data Protection Officer (DPO), if you have appointed one.
Processing operations
A description of the categories of processing operations that you perform on the instructions of each controller.
Outside the EEA
Do you share the data with a country or an international organisation outside the EEA? Then you have to indicate this in the processing register.
Security
A general description of the technical and organisational measures you have taken for securing the personal data that you process.
More information
- Position paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR. In this position paper, the European data protection authorities explain how they look at the statutory exception to the obligation to draw up a processing register.
Ensure proper security
The GDPR says that you have to arrange for proper security of personal data. This is why you first have to identify and list which processing operations you perform. Then you determine which technical and organisational measures are necessary for proper security of those processing operations.
You must be able to demonstrate that you have taken sufficient measures to secure the personal data that you process.
Privacy by design and default
You can use organisational and technical means to encourage a careful handling of personal data. You do this with ‘privacy by design’ or ‘privacy by default’.
Privacy by design
Privacy by design means that you ensure proper protection of personal data as early as in the design stage of products and services. And that you do not retain the data longer than necessary for the purpose of processing.
Privacy by default
Privacy by default means that the standard settings of your product or service are privacy-friendly. This means that you have to take technical and organisational measures to ensure that you, as standard, only process personal data that are necessary for the specific purpose you want to achieve.
For example because of:
- an app that you offer does not register the location of visitors if this is not necessary;
- not pre-checking the box ‘Yes, I want to receive offers’ on your website;
- not asking for more data than necessary if someone wants to subscribe to your newsletter.
More information
For more information about privacy by design and privacy by default, see these publications of the EDPB:
Quick answers
For organisations
2 questions and answers
Is a processing register mandatory for small healthcare practices or healthcare providers?
Yes, usually it is. According to the GDPR, organisations with fewer than 250 employees are obliged to establish a processing register when they process personal data:
- that pose a high risk to people’s rights and freedoms; and/or
- the processing of which is not temporary; and/or
- that fall under the category of special personal data.
Can I, as a municipality, water board or province, include the processing operations of multiple administrative bodies in 1 processing register?
Yes, you can. Administrative bodies are free to compile 1 processing register jointly.
However, the processing register has to show clearly which administrative body is the controller (there could also be several of them) for which data processing operation.
Also view
More information
- Dutch DPA's guide for privacy in an annual report
- Dutch DPA's guide 'The Board of Supervisory Directors or Supervisory Board and privacy: your role as a supervisor'
- Investigation by the Dutch DPA into privacy policies
- Position paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR
- Guidelines on data protection by design and by default
- Dutch translation: guidelines privacy by design en default