The Data Protection Authority of the German state of Lower Saxony (Niedersachsen) recently began random examinations into how well companies are implementing the EU’s General Data Protection Regulations. Compliance officers of U.S. companies with operations in Germany should be on alert.
Lower Saxony’s DPA said that it began its examinations in July, focusing on how well companies that are headquartered in Lower Saxony “have used the two-year transitional period” to get into compliance with the GDPR, which took effect on May 25, 2018.
Germany is a federation of 16 states, each with its own DPA with supervision over the private sector. The only exceptions are telecommunications and postal services companies, which are monitored by the federal government’s Federal Data Protection Commissioner. Lower Saxony is Germany’s second largest federal state.
Lower Saxony’s Data Protection Officer Barbara Thiel sent 50 companies a questionnaire covering 10 areas of data protection. Initially, the questionnaire will be distributed to 20 large companies and 30 mid-sized companies across various sectors. According to the DPA, a complete review of individual industries is not planned at this time.
“My main concern is to identify whether there is still some catching up to do with the responsible authorities,” Thiel said. “At the moment, it is not a matter of priority to find as many mistakes as possible and to impose fines,” she said, but rather to enlighten, sensitize, and provide valuable guidance to companies. The DPA warns, however, that proceedings could follow if GDPR violations are uncovered.
The scope of the questionnaire is broad and asks companies, in part:
How it has prepared for the GDPR;
How it prepares and maintains records for processing;
On what legal basis does it process personal data;
How it ensures compliance with the rights of data subjects;
What technical and organizational measures it has in place;
How the company has integrated the data protection officer into the company; and much more.
Answers to the questionnaire will be evaluated by November 2018, at which time on-site audits at selected companies will be conducted. A “final report” of the cross-sectional review will be made available in May 2019.
The DPA said it hopes the results will provide an indication of where to focus future efforts, such as whether to audit certain industries, or where more guidance and education is needed. Consequently, more guidance could be developed, the DPA said.
The questionnaire by Lower Saxony’s DPA is just the latest instance of a German DPA sending a written questionnaire to companies. A blog post by law firm Alston & Bird notes that 10 of Germany’s 17 DPAs surveyed 500 companies’ practices regarding international data transfers.
In that blog post, Daniel Felz, an associate at Alston & Bird, advised companies who receive a questionnaire from a German DPA to work with counsel to enable a prompt response, ideally in German. “Generally, German DPAs are willing to interact with companies to clarify the scope of questions, specify requested materials, and right-size the level of detail responses should contain,” Felz wrote.
“This willingness to take a more collaborative approach can continue into the response and follow-up phases of surveys,” Felz added. “However, delayed responses—or the absence of a response—is generally viewed unfavorably, just as it would be with U.S. regulators, and can result in heightened scrutiny.”