Following a two-year grace period, EU General Data Protection Regulation (GDPR) entered into force on May 25, 2018. For many companies, preparing for the GDPR was a multi-year project involving multiple teams and input or assistance from across the organization. On this blog, we have outlined the items we have seen as particularly time- or resource-intensive.
On June 29, 2018, the Data Protection Authority (DPA) of the German state of Lower Saxony (Niedersachsen) announced it would be surveying GDPR compliance among companies under its jurisdiction. Germany has 16 state-run DPAs with general jurisdiction over private companies and one federal DPA with limited jurisdiction over telecom and postal service companies. The Lower Saxony DPA is one of the larger state-run DPAs within Germany, and its announcement can be of interest to US companies with operations in Germany.
The Lower Saxony DPA states it plans to initially send a GDPR Compliance Questionnaire to “20 large and 30 mid-sized companies from different industries” that have their main establishment in Lower Saxony. Responses will be collected throughout the summer and fall, and the DPA may conduct on-site appointments at selected companies. The end product of the survey will be a “Final Report” to be published in May 2019.
The head of the Lower Saxony DPA states that the primary purpose of the survey is to “gauge the awareness for data protection in general and especially the GDPR.” As a result, “the primary point is not to find as many mistakes as possible and assess fines,” but instead to “educate, raise awareness, and provide valuable guidance.” The DPA envisions potentially issuing new guidelines or publications based on what it learns from its survey. Still, proceedings involving a company could be instituted if “violations of the GDPR” are discovered as in the course of the survey.
This is not the first time a German DPA has conducted a broad survey regarding companies’ privacy practices and compliance. As we reported earlier, 10 German DPAs surveyed approximately 500 companies’ practices regarding international data transfers and uses of cloud-based applications. The survey was used by DPAs for their internal knowledge-gathering, and to make companies aware of the transfers that occur when using cloud-based services. It did not result in significant reported enforcement activity.
The Lower Saxony DPA’s questionnaire is broader in scope than previous surveys, inquiring into (a) general GDPR preparation measures, (b) Article 30 records of processing activities, (c) legal bases for data processing, (d) individual rights compliance, (e) technical information security measures, (f) Data Protection Impact Assessments, (g) data processors / vendors, (h) Data Protection Officers, (i) incident reporting, and (j) compliance documentation. It also requests samples of companies’ privacy notices, consent language, data processing agreements, and Data Protection Impact Assessments.
Companies who receive a questionnaire from a German DPA are generally well-advised to work with counsel in order to enable a prompt response, ideally in German. Generally speaking, German DPAs are willing to interact with companies in order to clarify the scope of questions, specify requested materials, and right-size the level of detail responses should contain. This willingness to take a more collaborative approach can continue into the response and follow-up phases of surveys. However, delayed responses – or the absence of a response – is generally viewed unfavorably, just as it would be with U.S. regulators, and can result in heightened scrutiny.
Materials relating to the Lower Saxony DPA’s survey are provided here: