On 3 March 2017, the Bavarian Data Protection Authority (Bayerisches Landesamt für Datenschutzaufsicht – DPA”) issued a 160-page 7th activity report (Tätigkeitsbericht), covering years 2015 and 2016. The activity report has been accompanied by a press release of the same date.

Background

In Germany, Data Protection Authorities are obliged to regularly, at least every two years, issue activity reports, Section 38(1) s. 7 German Data Protection Act (Bundesdatenschutzgesetz – BDSG). Under Article 59 of the upcoming General Data Protection Regulation (“GDPR”), however, each supervisory authority shall draw up an annual report.

Overview

Key focus: GDPR. The DPA states that years 2015 and 2016 where characterised by the GDPR’s entering into force, which raised a number of legal questions, both for data controllers/processors and the competent DPA. The DPA emphasizes that the increase of the DPA’s responsibilities and power to impose sanctions upon companies, as well as the upcoming closer collaboration with other supervisory authorities and the Board, will lead to a substantial increase of workload for the DPA. This holds true in particular in the light of the fact that in future, most activities will be in English language.

Cybercrime. Another key focus of the DPA’s activity in 2015/2016 was security risks of networks with a particular view on cybercrime attacks. The DPA states that the substantial increase of reported data breaches were surprising for the DPA. In the preceding reporting period 2013/2014, 53 data breaches were reported, whereas the number of reported data breaches increased to 113 in the reporting period 2015/2016 (85 incidents were reported in 2016).

Increase of complaints. The DPA reports an increase of received complaints in the report in period 2015/2016 (2,527 complaints), compared to the preceding reporting period 2013/2014 (1,878 complaints). The DPA takes the view that this increase might be caused by an increased awareness regarding data protection related issues across the community.

Increase of consultancy requests. The DPA also reports an increase of consultancy requests, mainly from companies. In the reporting period 2015/2016, 3,853 requests were received, whereas in the reporting period 2013/2014, 3,554 consultancy requests were recorded. The DPA recognized that a number of companies repeatedly asked the DPA for consultancy, which the DPA regards as a strong indication of data controllers’ increased desire to be compliant with the requirements of data protection. At the same time, the DPA confesses that it could not handle all requests properly due to the existing personnel shortage.

Duration of proceedings before the DPA. With a view to the enormous workload, the DPA raised concerns on how to meet the forecasted deadlines under the GDPR, in particular the 3 months deadline pursuant to Article 78(2) GDPR. To assess its own capabilities, the DPA has conducted an internal monitoring of the duration of proceedings administered which, according to the press release, is as follows:

Duration 25% 25% 25% 25%
Complaints 4 days 14 days 52 days 141 days
Consulting citizens 1 day 3 days 11 days 36 days
Consulting companies 3 days 19 days 47 days 122 days

Shortage of personnel. Four new officers shall be hired for years 2017 and 2018, which leads to a total headcount of 17 officers for the next two years. However, the DPA forecasts that it will not be able to properly fulfil its responsibilities due to a shortage of personnel.

Sanctions only for exceptional severe breaches. Due to the heavy workload and shortage of personnel, the DPA has been able to open sanctioning proceedings only in exceptional, severe cases. However, the DPA clearly states that this needs to be changed, particularly with a view to the upcoming new obligations of data controllers and data processors under the GDPR.

Content of the Activity Report

The activity report contains the following 23 chapters:

  1. Supervisory activities in the non-public area
  2. General overview of the DPA’s activities
  3. Controls and audits
  4. Data protection officer
  5. Contract data processing
  6. Right to information
  7. Data protection and internet
  8. Lawyers and disputes
  9. Insurance sector
  10. Financial institutions
  11. Credit agencies
  12. Advertising and address trading
  13. Trade and services
  14. International data transfers
  15. Protection of employee data
  16. Health and social sector
  17. Clubs and associations
  18. Housing sector and protection of tenant’s personal data
  19. Video surveillance
  20. Vehicle data
  21. Data breaches
  22. Technical data protection and security of information systems
  23. Sanctions