EDPB: Meeting the accountability obligation is possible with A/B tests, among other things

The accountability requirements of the GDPR, especially in Art. 5 (2) of the GDPR, are virtually omnipresent and yet at the same time so elusive and tangible. The controller is responsible for compliance with the data protection principles of Art. 5 (1) GDPR and must be able to demonstrate its compliance ("accountability").

How specifically this accountability, in the form of a duty to provide evidence, is to be fulfilled is not specified. From a practical point of view, unconventional approaches are therefore possible.

The EDPB also sees the possibility of fulfilling the accountability obligation not only through "classic" data protection documentation. In its guidelines on transparency (WP 260 rev01), the EDPB assumes that compliance with the specifications of the information obligations can also be demonstrated by user tests.

Paragraph 21: "In order to help identify the most appropriate modality for providing the information, in advance of “going live”, data controllers may wish to trial different modalities by way of user testing … ."

And specifically, on accountability: "Documenting this approach should also assist data controllers with their accountability obligations by demonstrating how the tool/ approach chosen to convey the information is the most appropriate in the circumstances."

The EDPB clearly sees the possibility here that internal testing with the potential target audience can also (help) meet the accountability requirements of the GDPR. These considerations of the EDPB can certainly be applied to other obligations of the GDPR. By documenting the internal tests, a controller can demonstrate how it has complied with the requirements of the GDPR.