The Lower Saxony Data Protection Authority (Lower Saxony DPA) has audited 50 large and medium-sized organizations on their implementation of the requirements of the GDPR since June 2018. On November 5, 2019, the Lower Saxony DPA released a report summarizing its findings (Report; available in German here).

Summary of findings in the Report

We previously reported on our blog that the Lower Saxony DPA has released the checklist it used in assessing the GDPR readiness of the audited organizations (Checklist). This Checklist is a helpful tool for determining where organizations have GDPR compliance gaps.

The Lower Saxony DPA has now summarized its findings of the audits. It has grouped the audited organizations based on a traffic light system:

  • Green (= mainly satisfactory): 9 organizations
  • Yellow (= some deficiencies): 32 organizations
  • Red (= major deficiencies): 8 organizations

The Report also highlights the GDPR compliance items that still raise the most and the least concerns:

  • Most deficiencies: IT security, data protection impact assessments (DPIA)
  • Medium deficiencies: records of processing activities (ROPA), consent, data subject rights
  • Low deficiencies: data processing agreements, data protection officers (DPO), notification of data breaches, accountability

Deficiencies outlined in the Report

The Lower Saxony DPA outlined the following deficiencies that it found for some organizations.

IT security:

  • Lack of understanding of what the GDPR actually requires regarding IT security (for example, risk-based approach)
  • Lack of understanding of the concepts of privacy by default and privacy by design


  • Insufficient knowledge of the black lists provided by supervisory authorities
  • Insufficient documentation regarding whether the decision of DPIA is necessary or not
  • Lack of systematic approach
  • DPO has carried out the DPIA
  • Insufficient description of the facts concerning complex data processing activities (only half a page)
  • Lack of measures for addressing the risks identified


  • No clear definition of the update process for the ROPAs
  • Standard procedures could not be identified (for example, for operation of a website or job applications management)
  • Lack of contact information in the ROPAs (for example, of the DPO)


  • Processing activities are justified by consent even though they could be based on other legal justification in Article 6 GDPR
  • No granular choices
  • No information on withdrawal of consent option

Data subject rights:

  • Use of privacy policy templates without adapting them to the processing activities of the specific organization
  • Insufficient description of the balancing of interests (Article 6(1)(f) GDPR).
  • Insufficient processes for verification of data subject and for providing copies of the personal data processed (Article 15(3) GDPR) in connection with access requests

Data processing agreements:

  • No full compliance with the legal views of the Lower Saxony DPA (for example, with regard to maintenance of IT systems)


  • No evidence of the DPO’s expert knowledge

Notification of data breaches:

  • No clear rules on responsibility for handling data breaches


Organizations should carry out internal GDPR readiness audits 1.5 years after GDPR has entered into force to determine any compliance gaps they still have. The Report and the Checklist highlight some of the GDPR items that supervisory authorities look for in particular. Implementation of these items should thus be reviewed specifically.