Data Protection Authority Announces Unprovoced Controls

Among other things, the General Data Protection Regulation (GDPR) gives the supervisory authorities the task of monitoring and enforcing the application of the Regulation. For this purpose, the supervisory authority can rely on the submissions and complaints of those affected. However, it also has the possibility to take action of its own accord and to carry out so-called "on-the-spot checks" or unprovoked controls on those responsible for data processing. Such controls are particularly feared by companies, as they force companies to prepare and verify a large amount of information within a short period of time specified by the authority, without being prepared for this request at that moment.

The Bavarian State Office for Data Protection Supervision as supervisory authority has now made its view of these controls public in order to give companies under its authority the opportunity to better prepare themselves for controls. The supervisory authority attaches great importance to the transparency of its activities. It has therefore announced that it will publish all test questionnaires used on its homepage (www.lda.bayern.de) and will also document the results of the controls there. The controls will be carried out on a random basis. If violations are found, orders (e.g. to prohibit data processing) or sanctions such as fines are to be expected.

A special sign of the supervisory authority's willingness to ensure transparency is the publication of the audit plan for controls in Bavaria planned for the coming weeks and months. Accordingly, the following controls are planned for the time being:

• September 2018: Accountability audit of (starting with three) large companies
• September 2018: Cyber security: Encryption Trojan at medical practices (starting with 8 practices)
• October 2018: Compliance with information requirements in application procedures (starting with 25 companies)
• October 2018: Cyber Security: Patch Management for (at the start 15) Online Services
• November 2018: Cyber security: detection of data breaches at international subcontractors (starting with 5 large companies)

It certainly does not require any particular prophetic talent to predict that other supervisory authorities in Germany and Europe will follow this example of the Bavarian supervisory authority and carry out their own controls. Since June 2018, the Lower Saxony supervisory authority has been carrying out comprehensive cross-sectional controls (initially on 20 large and 30 medium-sized companies) (https://www.lfd.niedersachsen.de/startseite/allgemein/presseinformationen/querschnittspruefung_fragen_zur_
dsgvo_an_50_unternehmen/fragen-zur-ds-gvo-an-50-unternehmen-166110.html). It is therefore the responsibility of the companies to take seriously the offer of the supervisory authority on transparency and to prepare themselves for these controls in the best possible way.

Practical tip:

Since the supervisory authority has announced that it will publish all audit forms on its homepage, it is worth taking a closer look at this homepage on a regular basis, on the one hand as preparation for possible audits, but also as a helpful checklist for auditing your own data protection compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.