The Lower Saxony Data Protection Authority (Lower Saxony DPA) has audited 50 large and medium-sized organizations on their implementation of the requirements of the GDPR since June 2018. On November 5, 2019, the Lower Saxony DPA released a report summarizing its findings (Report; available in German here).

Summary of findings in the Report

We previously reported on our blog that the Lower Saxony DPA has released the checklist it used in assessing the GDPR readiness of the audited organizations (Checklist). This Checklist is a helpful tool for determining where organizations have GDPR compliance gaps.

The Lower Saxony DPA has now summarized its findings of the audits. It has grouped the audited organizations based on a traffic light system:

  • Green (= mainly satisfactory): 9 organizations
  • Yellow (= some deficiencies): 32 organizations
  • Red (= major deficiencies): 8 organizations

The Report also highlights the GDPR compliance items that still raise the most and the least concerns:

  • Most deficiencies: IT security, data protection impact assessments (DPIA)
  • Medium deficiencies: records of processing activities (ROPA), consent, data subject rights
  • Low deficiencies: data processing agreements, data protection officers (DPO), notification of data breaches, accountability


Continue Reading German DPA releases findings of GDPR readiness audits of 50 organizations

The German data protection authorities (German DPAs) have jointly released a list of processing activities (List) that are subject to a data protection impact assessment (DPIA). The List contains 16 examples.

What is a DPIA?

DPIAs shall help identifying, assessing and minimising the data protection risks of a project in which personal data are processed. Especially broader risks to the rights and freedoms of individuals, resulting from the processing, shall be assessed and mitigated by appropriate countermeasures.

DPIAs also support the General Data Protection Regulation’s (GDPR) accountability principle, helping organisations to prove that they have taken appropriate measures as required by GDPR, so that a compliant processing is possible.

Art. 35 GDPR provides that a DPIA is generally required where the processing of personal data, in particular when using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. The GDPR lists three examples where a DPIA is required:

  • Systematic and extensive profiling
  • Processing of special categories of personal data or criminal offence data on a large scale
  • Systematic monitoring of publicly accessible places on a large scale

Art. 35 (4) GDPR calls on supervisory authorities to release lists that further specify those cases where a DPIA is mandatory.

Continue Reading When do organisations need to carry out a data protection impact assessment? German authorities provide guidance

Although considered burdensome by some, data protection impact assessments (DPIAs) help controllers assess any data protection implications of their processing operations, with the added benefit of demonstrating compliance with the EU General Data Protection Regulation (GDPR). The Article 29 Working Party (WP29) recently published Guidelines on DPIAs and on determining whether processing is “likely to