Data Protection in Companies - Accountability

Frau Rechtsanwaeltin Rejin Sherzad Ahmed, Do. 05 Februar 2026

The GDPR requires more than formal compliance. Companies must be able to demonstrate at any time that personal data is processed lawfully and that the legal requirements are implemented. This accountability obligation under Art. 5(2) GDPR is a standalone compliance standard: it is about verifiable processes, documented decisions, and clear responsibilities. Overall responsibility lies with management, not automatically with the data protection officer.

Art. 24 GDPR specifies this duty and requires appropriate technical and organizational measures to ensure that processing complies with the law. Which measures are necessary depends on the risk of the processing, meaning the nature, scope, context, and purposes of data processing. A generic template is therefore insufficient. In practice, this means: data protection must be embedded in processes, documented, and reviewed regularly.

Accountability is also subject to administrative fines (Art. 83(5) GDPR). Gaps in documentation or missing evidence can be sanctioned even if no specific data protection violation is proven. The European Court of Justice has reinforced this duty: it applies even in cooperation between different entities, even when there is no joint controllership under Art. 26 GDPR (ECJ, 27.10.2022 - C-129/21). Whenever personal data is exchanged, controllers must check and document that GDPR requirements are met and, if necessary, inform other parties involved.

An example Template

Measures to implement data protection requirements
Company ... aims to implement the data protection requirements of the EU General Data Protection Regulation (GDPR).
This document records the individual steps taken to implement the legal requirements.
It provides an overview of the formal requirements and demonstrates compliance with the organizational and technical measures to protect personal data.
The document is updated regularly and is available on the intranet at ...
Version: ...
Date: ...
Signing, responsible person: ...
Data Protection Officer: ...

Depending on the processing activity, the measures, the description, the program version number and last version, the review (by whom and when), and the subsequent assessment must be recorded in a table and documented as evidence.

Please contact me for detailed legal advice.

tags: #Data Protection #GDPR #compliance #en

Our Services

Fast help, competent advice, sustainable solutions

Employment Law for Employers

Employment Law for Employers

Nationally, EU, cross-border

Read More

Works Constitution and Co-determination

Works Constitution and Co-determination

We negotiate with works councils

Read More

Posting of Workers & Blue Card

Posting of Workers & Blue Card

Working across borders

Read More

Contract Law

Contract Law

Contract drafting, contract review, service and work contracts, project contracts, standard terms

Read More

Company Formation, Restructuring & Exit

Company Formation, Restructuring & Exit

M&A, due diligence, exit, equity, formation, shareholders, succession

Read More

AI in Business & Data Protection GDPR

AI in Business & Data Protection GDPR

AI deployment, data protection, GDPR, digital transformation, IT projects

Read More

Compliance in Business

Compliance in Business

Employer and entrepreneur obligations – compliant implementation

Read More

Insolvency Employment Law

Insolvency Employment Law

Insolvency benefit, terminations in crisis, business continuation, transfer company

Read More

Working With Us

Working With Us

Process, mandate, first consultation – how we work together

Read More

How it works

Three simple steps from first contact to consultation

Contact me

Send a message or call with your request.

Timely response

I will contact you promptly with next steps.

Consultation

We clarify your case and define the best path.

FAQ Arbeitsrecht

FAQ Employment Law

FAQ Unternehmensrecht

FAQ Corporate Law

FAQ IT & Digitalisierung

FAQ IT & Digitalization

Latest Articles

Works Council Elections 2026 are approaching - what companies should prepare now

Works Council Elections 2026 are approaching - what companies should prepare now

Mi. 25 Februar 2026

Why companies should prepare for the 2026 works council elections early and in a structured way.

#Works Council #Employment Law #en

Will Employers Face a Wave of Lawsuits from June 2026? - Pay Transparency Directive

Will Employers Face a Wave of Lawsuits from June 2026? - Pay Transparency Directive

Sa. 14 Februar 2026

What the EU Pay Transparency Directive will mean for employers from June 2026.

#Employment law #pay transparency #compliance #en

Data Protection in Companies - Accountability

Data Protection in Companies - Accountability

Do. 05 Februar 2026

Why companies must not only comply with GDPR but document accountability.

#Data Protection #GDPR #compliance #en

Works Council Elections March – May 2026

Works Council Elections March – May 2026

Mo. 26 Januar 2026

Overview of procedure, deadlines, and election process for the 2026 works council elections.

#Works Council #labourlaw #en

AI Supervisor

Mo. 22 Dezember 2025

Legal implications of AI-controlled supervisors

#AI #labourlaw #en

Attorney at Law Rejin Sherzad Ahmed is a member of the Frankfurt am Main Bar Association
and the German SME Association (BVMID).

Contact Us

Free initial consultation – 30 minutes – we clarify whether and how we can help you

Legal advice for employers and entrepreneurs

Address

Aveniris – Employer Counsel
Große Gallusstraße 14
60315 Frankfurt am Main

Call us

+49 1706 2494 48

WhatsApp

+49 1706 2494 48

Email

info@aveniris.de

Documents

(German law demands this)

Impressum: German law demands this
Datenschutzerklärung: Angaben, wie wir Ihre Daten verwenden.
Genderhinweis: Vermerk über die Wahl des Geschlechts in unseren Texten.