Abstract

The article analyzes the issues of documenting or demonstrating compliance with the GDPR. The main source of obligations analyzed herein is Art. 5.2 and Art. 24 of the GDPR, both of which concern accountability and responsibility. Documenting compliance with the provisions of the GDPR may seem to be a secondary issue or less important from the perspective of numerous challenges faced by the entities applying the provisions of the GDPR. I consider such an approach to be wrong, as evidenced by the current practice of the President of the Office for Personal Data Protection (Data Protection Commissioner) indicating how severely punished non-compliance in this area can be. It is also an issue concerning practical application of European law since the idea of accountability needs to be applied within the legal framework of the Polish administrative procedure and administrative court proceedings. Many challenges face by data controllers arise from doubts concerning the burden of proof and the uncertainty in regard to the Commissioner’s assessment of measures to establish GDPR compliance. Some questions also arise due to certain errors in the translation of the GDPR into Polish.Nevertheless, the most important objective laid down in the discussed articles is to ensure factual compliance with data protection laws in the organization. This can potentially be achieved by various means. Therefore, although the provisions of the GDPR require accountability, it should be remembered that the specific catalog of tools that would be used to ensure accountability has been removed from the final version of Art. 22-24 of the GDPR. The ultimate goal of the regulation is to ensure protection of the right to privacy rather than creating endless internal regulations. With this in mind, in my opinion, the proceedings regarding infringement of the GDPR require a major review and a flexible approach to the evidence used by the parties.