According to Art. 5 II GDPR, the controller must be able to demonstrate compliance with the principles of Art. 5 I GDPR. The German version of the GDPR refers to this obligation to demonstrate compliance as "Rechenschaftspflicht", the English version as "accountability".
Art. 24 I GDPR also contains an obligation to demonstrate compliance. According to this, the controller must be able to demonstrate that "processing is performed in accordance with" the GDPR.
These obligations to provide evidence are thus intended to ensure compliance with all principles (Art. 5 II) or the entire GDPR (Art. 24 I). In order to do so, they require the controller to actively act, because otherwise it would be difficult to provide the required proof.
The need to be able to demonstrate compliance is described as the "driver" for the effective implementation of data protection principles (Art. 29 Group, WP 173 (2010), p. 4). The obligation should/could improve the evidence situation for the supervisory authorities, as audits often failed because the controller did not have sufficient documentation and protocols of its processes. Within the scope of its investigative powers, the supervisory authority can instruct the controller "to provide any information it requires for the performance of its tasks (Art. 58 I a GDPR).
Many consider these obligations to be part of the concept of "accountability". "Accountability" is considered "one of the most important novelties" of the GDPR (EDPS, Opinion 8/2016, p. 7). It should neither change nor affect the principles of data protection, but rather make them work better (Art. 29 Group, WP 173 (2010), p. 5).
It is unclear how far the concept of "accountability" extends. Even in the Anglo-Saxon world, from which the term originates, "rather contourless" and "defining what exactly 'accountability' means in practice is complex" (Art. 29 Group, WP 173 (2010), para. 21). Due to its proximity to the terms "social corporate accountability" and "political accountability", in the USA it is probably understood to mean the commitment of the responsible party to data protection - i.e. a voluntarily assumed responsibility. With regard to Art. 24, Nink explicitly speaks of "corporate digital responsibility" (Nink, in: Spindler/Schuster, Recht der elektronischen Medien, 4th ed. 2019, Art. 24 GDPR para. 18). In common usage, "accountability" is also associated with "answerability" or "responsiveness" and can also simply mean "bringing wrongdoers to justice". Initially, this has nothing to do with legal responsibility/liability/compliance.
However, with the adoption of the term into the legal sphere of the EU and with its insertion into the prescriptive system of the GDPR, a momentous change in meaning could accompany it. The Article 29 Working Party admits that the term "accountability" is difficult to translate into most other European languages. It suggests "reinforced responsibility", "assurance", "reliability", "trustworthiness" and the French phrase "obligation de rendre des comptes" (Art. 29 Group, WP 173 (2010), para. 22). And also in the context of the GDPR, the concept of "accountability" is described as "elusive" and "chameleon-like" (van Alsenoy, Regulating Data Protection, p. 267) or "dazzling" (Kramer, in: Auernhammer, 6th ed. 2018, Art. 5 para. 45.).
The supporters of the concept nevertheless derive concrete obligations and legal consequences from it, which establishes a proximity to compliance (Jung, in: ZD 2018, 2018). It is predicted that "accountability" will represent a significant part of operational compliance in the future (GDD, Praxishilfe DSGVO IX, Version 1.0 (October 2017), p. 3).
In the eyes of some, "accountability" even seems to go beyond the obligation to behave in a legally compliant manner. According to the European Data Protection Supervisor, following the law is no longer sufficient in today's digital environment. The ethical dimension should be taken into account. "Toward a new digital ethos", the demand for an "accountable controller" is seen as one of four building blocks of a digital ecosystem in line with human dignity (EDPS, Opinion 4/2015, p. 3/4).
However, the central importance that Art. 5 II and 24 GDPR would actually have if interpreted extensively is hardly explicitly acknowledged in the German-language literature. Only some authors (e.g. Piltz, in: Gola, 2nd ed. 2018, Art. 24 para. 1 et seq.; Hartung, in: Kühling/Buchner, 2nd ed. 2018, Art. 24 para. 1 et seq.) acknowledge that the comprehensive obligation to demonstrate compliance and the risk-based approach are fundamental innovations. Admittedly, it is recognised that Art. 24 is not a mere "affirmation" of the obligations of other provisions (Plath, in: Plath, 3rd ed. 2018, Art. 24 para. 2). According to widespread opinion, however, Art. 24 creates "hardly any significant requirements in terms of content that are not already contained in other provisions" (Kramer/Meints, in: Auernhammer, 6th ed. 2018, Art. 24 para. 3). As a general norm, it is "largely absorbed into the concretisations that it receives through Articles 25 and 32" (Martini, in: Paal/Pauly, 2nd ed. 2018, Art. 24 para. 5).
These examples from the literature show that in Germany the anchoring of the principle of "accountability" in international treaties and guidelines is insufficiently taken into account. In the non-German-speaking part of the expert public, on the other hand, "accountability" is celebrated as one of the central pillars of the GDPR and as one of the great (also globally already recognised) innovations of the GDPR (cf. only Docksey, Art. 24, in: Kuner/Bygrave/Docksey., Commentary on the EU General Data Protection Regulation, Oxford University Press 2020; CIPL, The Central Role of Organisational Accountability in Data Protection, Discussion Paper 1 and 2, with further references).
A broadly understood accountability comes into conflict with numerous principles of the rule of law. Comprehensive, preventive obligations to provide evidence can be a disproportionate encroachment on the general freedom of action of the individual (comparable to the obligation of a car driver to prove that he or she has always complied with all traffic regulations (including speed limits)). The principle of freedom from self-incrimination (nemo tenetur se ipsum accusare) is also at issue if the duty of self-monitoring goes so far that the supervisory authorities must be given all means to "convict" a controller who presumably has acted unlawfully. See also Tile O.09.