German DPA Circulates GDPR Compliance Survey
The Data Protection Authority for the German state of Lower Saxony sent out a survey on GDPR compliance to 50 companies under its jurisdiction at the end of June. The primary purpose of the survey, according to the head of the Lower Saxony DPA, is to gauge awareness of data protection and GDPR.
The survey asks the companies a number of questions about their GDPR preparations and actions, including:
GDPR Preparations: The implementation status of their preparations, their overall approach, which departments were involved, and what measures were taken.
GDPR Documentation: The scope of records being kept of processing activities and how these records are kept up to date. Additionally, the methodology for proving compliance with the
Legal Basis: The lawful basis used for processing personal data and, if consent is included, the survey requests a template of the consent materials.
Data Subject Rights: An outline of the relevant processes and disclosures that ensure data subject rights compliance. It also requests attaching the templates for any information or privacy notices.
Technical Data Protection: The methods used to ensure cybersecurity protections are appropriate and state of the art. Additionally, the use of appropriate privacy by design and default measures in new and modified products and services.
Data Protection Impact Assessments: If the company has identified high risk processing operations, then the survey asks them to attach the relevant DPIA documentation. It also asks all companies to state how they identify processing for DPIAs.
Data Processors: It requests the attachment of the template and a sample agreement if their contracts with data processors have been adapted for GDPR.
Data Protection Officer: Identify the qualifications of your DPO and how they are integrated into the organization.
Reporting Obligations: Outline the processes to ensure that data protection incidents and violations are reported to the supervisory authority.
The survey was issued to 20 large and 30 medium-sized companies from different industries with their main office in Lower Saxony. Survey responses will be collected through the fall, and on-site appointments may be selected with certain companies to gather additional information. The end result will be a report that is scheduled for publication in May 2019.
Lower Saxony is one of the largest Data Protection Authorities within Germany. Germany has 16 DPAs with jurisdiction over private companies in their region and a federal DPA with authority over telecom and postal service companies.
Surveys like this one have been traditionally used for information gathering and to refine the agency’s education efforts. A significant increase in enforcement actions as a result of the survey answers are not expected unless there are egregious violations. The DPA expects to issue guidance as a result of what it finds in the survey responses.
Other Blog Posts on GDPR Enforcment:
More DPAs Issuing GDPR Fines and Warnings
EDPB Releases Guidelines on Territorial Scope of GDPR
EDPB Releases Comments on DPIA Requirements under Article 35.4
Dutch Question Microsoft Over Office Data Telemetry Collection Violations under GDPR
Austria Issues First GDPR Fine
Privacy Complaints Up in France after GDPR
ICO Threatens Max GDPR Fine to AggregateIQ
ULD DPA Issues Ban on Data Processing Under GDPR
Data Privacy Complaints Double in UK under GDPR
Contact Clarip for Help with Your Privacy Program
The Clarip data privacy software and team are available to help improve privacy practices at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, we can help through our modular GDPR software. Whether you are starting the process with GDPR data mapping software, need privacy impact assessment software, or looking to meet ePrivacy requirements with cookie consent manager, Clarip can help strengthen your privacy program.
If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with our consent software.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.