Germany: DPAs publish checklists for web hosters as data processors

The DPA for Berlin, as well as the DPAs for Niedersachsen, Rheinland-Pfalz, Sachsen, Sachsen-Anhalt and Bayern (LDA) b, are starting a coordinated inspection on the contracts between several web hosters and their customers.

https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2022/20220718-BlnBDI-AVV-Pruefung.pdf

To encourage data controllers to conduct their own checks, the DPA is publishing the following material:

Article with comments: https://www.cr-online.de/blog/2022/07/19/aufsichtsbehoerden-veroeffentlichen-checkliste-zur-pruefung-von-auftragsverarbeitungsvertraegen/

Paper: Investigating GDPR Fines in the Light of Data Flows

Marlene Sämann, Marlene; Daniel Theis, Daniel; Tobias Urban; Martin Dägeling
June 2022, Conference: Privacy Enhancing Technologies Symposium (PETS)At: SydneyVolume: 4

“… Our analysis shows that it is a combination of technical and organizational issues that are involved when a fine is imposed. ”

“Moreover, data protection authorities more often react to data subjects’ complaints when data breaches become public and when health-related data is involved..”

“.. We further show that the root causes for fined data processing lie in the early data life cycle phases (e.g., data collection). Here, organizational problems are more prevalent (601 fines) than technical issues (314 fines), while technical issues are mentioned more often in later life cycle phases (e.g., retention, access and usage). Especially mistakes in the early phases of the data collection process (e.g., lacking a legal basis) and unauthorized disclosure in later phases are fined. ..”

https://www.researchgate.net/publication/361208074_Investigating_GDPR_Fines_in_the_Light_of_Data_Flows