What is the basis of the accountability and data governance obligation (Article 5 (2) of the GDPR)?

What is the basis of the accountability and data governance obligation (Article 5 (2) of the GDPR)?
A . The controller shall appoint a DPO before carrying out large scale processing
B . The controller shall be responsible for. and be able to demonstrate compliance with the data protection principles.
C . Controllers and Processors each have a responsibility to conduct legitimate interests balancing tests before processing data for direct marketing
D . Processors have overarching responsibility to ensure their processing is compliant

View Answer

Answer: B

Explanation:

Article 5(2) of the GDPR introduces the principle of accountability, which requires that the controller is responsible for, and be able to demonstrate compliance with, the data protection principles set out in Article 5(1). These principles are: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and data protection by design and by default. The controller must implement appropriate technical and organizational measures to ensure and demonstrate compliance, such as policies, procedures, records, audits, reviews, and DPIAs. The controller must also cooperate with the supervisory authority and provide any information requested by it. The other options are not the basis of the accountability and data governance obligation, although they may be related to other obligations under the GDPR.

Reference: Article 5(2) of the GDPR3

ICO guidance on accountability and governance4