On November 7, 2018, the Data Protection Authority of Bavaria for the Private Sector (the “BayLDA”) issued a press release describing audits completed and pending in Bavaria since the EU General Data Protection Regulation (“GDPR”) took force.
The BayLDA initially focused on informing entities about changes brought by the GDPR. Subsequently, this year the BayLDA launched data protection investigations throughout Bavaria to check compliance, raise awareness of the risks inherent to the processing of personal data and incite entities to effectively and adequately protect this data.
As of now, the BayLDA has audited a small number of entities. The audit structure is fairly predictable, beginning with a written examination that is followed by on-site visits to selected entities to verify the information provided. The BayLDA’s aim is to conduct active audits to explain the criteria to these entities and to detail what is expected of them. To this end, the BayLDA publishes the review letters sent to each entity to enable others to understand the requirements and how to comply.
The BayLDA has focused largely on cybersecurity issues (particularly on the security of online shops and ransomware in medical practices), the accountability of large companies, the duty of companies to disclose to job candidates the processing of their personal data during the application process and, finally, the implementation of the GDPR in small and medium-sized enterprises.
The BayLDA intends to continue its wave of audits, including through two investigative approaches it has commenced—one, auditing large, international companies to assess whether they comply with data protection regulations when selecting service providers and, in particular, whether they have implemented a reporting process in the event of a data breach; second, focusing on the issue of “erasure of data,” particularly in connection to SAP systems.