The General Data Protection Regulation (GDPR) has been directly applicable law since May 25, 2018. It caused a fair amount of media attention in particular due to the threat of considerably increased fines of up to 4% of worldwide revenue of the prior financial year or EUR 20 million, whichever is higher. In addition to the directly obligated parties and legal practitioners, the supervisory authorities had to familiarize themselves with the new legal situation, not least because of the numerous abstract legal terms that needed to be filled. Various documents, published on the Bavarian State Office for Data Protection Supervision’s website prove that this “familiarization phase” is slowly but surely coming to an end.
In addition to the fact, which by itself is not self-evident, that audits are already performed, these documents also offer valuable insight into the Bavarian State Office for Data Protection Supervision’s data protection auditing practice. It shows, for example, that companies are audited both without a specific occasion and where violations have already been discovered. Moreover, the Bavarian State Office for Data Protection Supervision explicitly points out that the audits are not limited to companies receiving and responding to questions. Rather, companies are also requested to send documents such as information templates in accordance with Article 13 GDPR or IT-security concepts as evidence. On-site audits also remain reserved. As the documents show, companies of all sizes and with a view to different areas have been audited to date, including three large groups and several smaller (100+ employees) and medium-size companies (500+ employees) in a variety of sectors. In terms of content, the audits relate to numerous areas of data protection law at highly different degrees of specificity. Audit topics range from very specific audit blocks such as “erasing data from ERP systems (SAP)” or “patch management eCommerce systems/online shops (Magento)” to apparently more generic audit schemes such as “implementing GDPR in small and medium-sized enterprises (SMEs).” The questionnaire published by the Bavarian State Office for Data Protection Supervision in relation to the latter item concerns topics such as the appointment and area of responsibility of data protection officers in the respective companies, existing branches and their integration into data protection concepts, the existence of records of processing activities, the existence and implementation status of IT security concepts, processes for dealing with information rights and data subjects’ rights, as well as questions in connection with data protection violations. By not subjecting every company to the same auditing scheme, the Bavarian State Office for Data Protection Supervision proves its undeniable practical relevance. It is obviously clearly aware of the problems faced by larger companies in implementing data protection-compliant and consistent erasure concepts and only audits those companies where it suspects problems due to the corporate structure. 15 larger companies were also asked about information duties under Article 13 GDPR in connection with their application processes, the implementation of which is frequently neglected as experience shows.
Consequences for the practice:
It is evident that no unconditional conclusions may be drawn from the publications on the relevant practices of the other German states’ supervisory authorities. Nevertheless, the information serves companies, not only those established in Bavaria, as valuable audit and starting points of their own implementation status under data protection law and should not be ignored. The Bavarian State Office for Data Protection Supervision’s publications show that – if there ever has been one – any grace period for implementation of the General Data Protection Regulation seems to have expired. Companies that have not yet implemented the General Data Protection Regulation, or have done so insufficiently, should neither ignore this information nor panic, but should consider the valuable information provided by the Bavarian State Office for Data Protection Supervision as support for organizing their own implementation and critically reviewing their implementation status.