In the press release, the State Commissioner for Data Protection of Lower Saxony (LfD), Barbara Thiel, thankfully states that the primary aim is not to find as many errors as possible and impose fines.
Rather, the aim was to educate, raise awareness and provide information.
It is also important to get an overview of how the GDPR has been received by companies.
Nonetheless, if violations are detected, corresponding proceedings are to be expected.
Therefore, vague, incorrect or incomplete answers are likely to be an invitation to a home visit.
All the more reason not to be hasty, but to approach the response in a well-considered manner and together with the data protection officer and, if necessary, with additional legal advice.
with additional legal advice to answer questions about the GDPR.
At the same time, the GDPR questionnaire also serves as a guide for other companies that may not (yet) have been affected.
After all, every company must be able to answer the questions within a very short time and provide documentary evidence.
Evaluation of the questionnaire on the GDPR with final report in May 2019
A total of 50 companies received the LfD questionnaire as a cross-section of different sectors.
However, it is not the small companies that are affected, but 20 large and 30 medium-sized companies with their (main) registered office in Lower Saxony.
In addition to the objectives already mentioned, the LfD also hopes that the evaluation of the questionnaires will provide information for its future work.
Depending on the deficiencies, it may be possible to provide new guidance.
And even if there are no concrete plans to date, this could also be followed up by focus audits in certain sectors.
Cross-sectional check questionnaire GDPR
The questions regarding the preparation and implementation of the GDPR are quite complex.
It is clear that the GDPR is a bureaucratic act and the LfD would also like to (over)examine how it is handled.
Therefore, not only the mere indication of the maintenance of the processing directory or the presentation of the processes for compliance with data subject rights are required, but also the submission of some sample documents, such as:
- Example procedure from the processing directory
- Obtaining consent
- Information sheets on data subject rights
- Documentation for the data protection impact assessment
- Order processing contracts
Answering the questions is not only likely to be time-consuming, but will also require a lot of manpower – especially if the relevant documentation and samples are not yet available.
There are a total of 10 questions, which can be found in the \„Question catalog cross-sectional test DS-GVO\„:
|
1. preparation for the GDPR How have you prepared for the GDPR as a company? Describe (briefly) the procedure, which areas were involved and which measures were initiated. 2. register of processing activities How have you ensured that all your business processes involving the processing of personal data have been included in a record of processing activities? 3. permissibility of the processing On what legal basis do you process personal data? 4. rights of data subjects How do you ensure compliance with data subjects‘ rights (to information, access, rectification, erasure, restriction of processing, data portability)? 5. Technical data protection a. How do you ensure that your technical and organizational measures or those of your service providers guarantee a level of protection appropriate to the processing risk? b. How do you ensure that your technical and organizational measures are adapted to the current state of the art? c. How do you ensure that you have a documented data protection-compliant role and authorization concept for the IT applications you currently use or will use in the future? d. How do you ensure that data protection requirements are taken into account from the outset when modifying or developing new products or services (privacy by design and by default)? 6. data protection impact assessment a. How do you ensure that processing operations with a likely high risk to the rights and freedoms of data subjects are identified and a data protection impact assessment is carried out for them? b. Have you identified processing operations in your company that are likely to present a high risk to the rights and freedoms of data subjects? Please attach the relevant documentation for the data protection impact assessment. 7. order processing Have you adapted your existing contracts with processors to the new provisions of the GDPR? 8. data protection officer How is your data protection officer integrated into your organization? 9. reporting obligations How do you ensure that your company reports data protection breaches to the supervisory authority in a timely manner? 10. documentation How can you demonstrate compliance with all of the above obligations in sections |