GDPR Article 24: Responsibility of the Controller

In one sentence. GDPR Article 24 imposes the accountability obligation on the controller: implement appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with the GDPR. The measures must be risk-proportionate, reviewed and updated as needed, and may include the implementation of appropriate data protection policies and adherence to approved codes of conduct or certification mechanisms.

Article 24 is the operational expression of the accountability principle from Article 5(2). It tells the controller: it’s not enough to comply — you must be able to prove compliance. The CNIL, BfDI and other supervisory authorities apply Article 24 as the lens through which they evaluate all other compliance evidence in inspections.

For related principles: accountability principle, Article 25 privacy by design, Article 32 security.

Key takeaways

• Article 24 requires the controller to implement and demonstrate compliance — the burden of proof is on the controller.
• Measures must be appropriate to the nature, scope, context, purposes of processing AND the risks to data subjects.
• Measures must be reviewed and updated as needed.
• Implementation may include data protection policies, adherence to codes of conduct, certifications.
• Article 24 is the GDPR’s organising principle for inspections — every other obligation is evaluated through this lens.

1. Article 24 text

Article 24 — Responsibility of the controller

1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.

2. The two-part obligation

Article 24 imposes a single principle with two operational parts:

1. Ensure that processing complies with the GDPR
2. Be able to demonstrate that compliance

The “demonstrate” part is what makes Article 24 distinctive. It’s not enough to be compliant in fact — you must hold the evidence ready for inspection.

3. The risk-proportionate standard

The measures must be appropriate considering:

• Nature of processing (technical scope)
• Scope of processing (volume, geography)
• Context of processing (sector, sensitivity of data)
• Purposes of processing (commercial vs public interest)
• Risks of varying likelihood and severity for data subjects

Translation: a small e-commerce processing 10,000 orders needs less than a hospital processing 10 million health records. No checklist applies universally — the controller must calibrate.

4. Concrete measures expected

While Article 24 doesn’t enumerate measures, the EDPB and supervisory authorities have built up an expectations baseline:

Technical measures

• Record of Processing Activities (Article 30)
• Security measures (Article 32) — encryption, MFA, logging
• Data Protection Impact Assessments for high-risk processing (Article 35)
• Breach detection and response capability (Articles 33-34)
• Pseudonymization where appropriate (Article 4(5))

Organisational measures

• Designated accountability (DPO if applicable, otherwise privacy lead)
• Internal policies aligned with GDPR (data protection policy, DSR procedure, breach playbook)
• Training of staff
• Vendor due diligence and DPA management (Article 28)
• Internal audit program
• Reporting to senior management

5. The “demonstrate” requirement — practical evidence

To demonstrate compliance, the controller should maintain:

• ROPA for all processing activities
• DPIA register with completed assessments for high-risk processing
• Signed DPAs with all processors
• Privacy policy version history with effective dates
• Consent records for consent-based processing
• DSR register showing requests, responses, response time
• Breach register with notified and non-notified events
• Training records with attendance traceability
• Internal audit reports and corrective action plans
• Vendor audit records with frequency aligned to risk

This evidence package is what the supervisory authority requests on day one of an inspection.

6. Codes of conduct and certifications (Article 24(3))

Article 24(3) recognizes that adherence to:

• Approved codes of conduct (Article 40) — sector-specific
• Approved certification mechanisms (Article 42) — e.g., Europrise, ISO 27701

…may be used as elements to demonstrate compliance. They don’t replace the underlying obligation but provide evidence that the controller has structured its approach.

In 2026, few codes of conduct have been formally approved. ISO 27701 has emerged as the most-used certification proxy for GDPR compliance demonstration. See ISO 27001 vs GDPR.

7. Review and update requirement

“Those measures shall be reviewed and updated where necessary.” This requires:

• Annual audit of the privacy program
• Triggered review on regulatory changes (EDPB guidelines, national law updates)
• Triggered review on operational changes (new processing, new vendors, new technologies)
• Documentation of reviews and changes

8. Article 24 vs Article 25 vs Article 32

These three Articles work together:

• Article 24 — overall accountability obligation
• Article 25 — specific obligation for privacy by design and by default
• Article 32 — specific obligation for security of processing

Article 24 is the umbrella; Articles 25 and 32 are specific applications.

9. Sanctions

Article 83(4)(a) places Article 24 violations at the lower fine tier — up to €10M or 2% of global annual turnover.

In practice, Article 24 violations are rarely cited alone — they typically appear as the “accountability” framing of other concrete failures (lack of ROPA, lack of DPIA, lack of DPA).

Notable cases:

• Marriott (ICO, 2020) — £18.4M, Article 24 cited alongside Article 32
• Multiple SMB sanctions — Article 24 framing of ROPA / DPIA absence

10. Implementation checklist

• ☐ ROPA maintained and current (Article 30)
• ☐ DPIA register with completed assessments (Article 35)
• ☐ Signed DPAs with all processors (Article 28)
• ☐ Privacy policy versioned with effective dates
• ☐ Consent records or DSR proof for consent-based processing
• ☐ DSR register with response time tracking
• ☐ Breach register (notified and non-notified)
• ☐ Training records with attendance
• ☐ Internal audit annual cycle documented
• ☐ Vendor audit cycle aligned to risk
• ☐ DPO designation documented (if applicable)
• ☐ Annual program review with senior management sign-off
• ☐ Codes of conduct / certifications considered (e.g., ISO 27701)

11. Tooling

Legiscope maintains the Article 24 evidence package automatically: ROPA, DPIAs, DPAs, DSRs, breaches, training — all version-controlled with audit trail and exportable on demand for supervisory authority inspection.

For related deep-dives: accountability principle, Article 25 privacy by design, Article 32 security, GDPR audit methodology.

Conclusion

Article 24 is the GDPR’s most consequential meta-obligation. It transforms compliance from “do the right thing” to “do the right thing AND prove it.” The evidence package required is substantial but reproducible — and the cost of having it ready is far lower than the cost of not having it during an inspection.

FAQ

What does GDPR Article 24 require?

Article 24 imposes the accountability obligation on the controller: implement appropriate technical and organisational measures to ensure compliance AND be able to demonstrate that compliance. Measures must be risk-proportionate and reviewed regularly.

What’s the difference between Article 24 and Article 32?

Article 24 is the umbrella accountability obligation. Article 32 is a specific application — security of processing. Article 24 covers all aspects of compliance (lawful basis, rights, transparency, etc.), while Article 32 is specifically about security measures.

What evidence do I need to maintain?

ROPA, DPIA register, signed DPAs, privacy policy version history, consent records, DSR register, breach register, training records, internal audit reports, vendor audit records. This is the package supervisory authorities request first during inspections.

Does ISO 27701 certification satisfy Article 24?

It’s strong evidence but not automatic compliance. Article 24(3) recognizes certifications as “an element by which to demonstrate compliance” — they don’t replace the underlying obligations.

How often must I review and update my measures?

At minimum annually for the full program, plus triggered reviews on regulatory changes (EDPB guidelines, national law updates) and operational changes (new processing activities, new vendors, new technologies).