The Data Protection Supervisory Authorities (“DPAs”) for the German states of Lower Saxony and Bavaria recently announced (related information can be found here and here) that they will carry out random audits to check compliance with the GDPR.
In July 2018, the DPA for Lower Saxony reached out to about 50 companies with a questionnaire. The questionnaire focused on the following topics: How has the company prepared for the GDPR? How were the records of processing prepared and how will they be maintained? What are the legal bases for the processing of personal data, including sample consent forms? How are data subject rights addressed? What technical and organizational measures are in place? How are DPIAs carried out? What template data processing agreements are used? How is the DPO involved in the company and what skills does he/she have? What does the security breach notification procedure look like? How can the company demonstrate compliance with the above mentioned aspects?
As the DPA expects detailed responses accompanied by sample documents, high-level responses will not be sufficient. Further, the DPA may then carry out additional on-site audits based on the responses to the questionnaire. The outcome of the general audit will be published in May 2019. The main purpose of the general audit seems to be for the DPA to identify areas for further targeted audits as well as areas where the DPA should provide further guidance and support. The main purpose does not appear to be the identification of non-compliance and the imposition of fines. But, of course, the DPA may still impose fines.
In September, the DPA for Bavaria announced the following initial audit activities:
- An audit of (initial) three large companies in Bavaria. The audit will not have a specific focus (planned for September 2018)
- A cyber security audit of around 8 medical practices (planned for September 2018)
- An audit of about 25 companies for compliance with transparency requirements for applicants (planned for October 2018)
- A cyber security audit of about 15 companies regarding patch management for online services (planned for November 2018)
- An audit of about 10 subprocessors relating to security breaches (planned for November 2018)
- The Bavarian DPA has noted that additional audits will follow.
Similar to the approach taken by the DPA of Lower Saxony, the Bavarian DPA audits will start with a questionnaire to be answered by the companies. The questionnaires will be published on the DPA website as per prior practice (see here). The questionnaires for the upcoming audits have, however, not yet been published. In case of an on-site audit, the Bavarian DPA will typically provide 4 to 6 weeks prior notice and include a description of the expected scope of the on-site audit. The DPA may also ask for certain documents, in particular, including: data processing agreements, consent templates, commitments to data secrecy by the employees, records of processing, and access right concepts.
Companies should be aware of the potentially upcoming audits and it must be expected that other DPAs in Germany will commence similar random audits.