Germany/Saarland: Privacy inspection questionnaires

.. in German

The DPA Saarland uses four questionnaires:
– interesting questions incl. on various concepts (data deletion, encryption, pseudonymization, risk evaluation/model, privacy management, ..)

Key points from the Accountability questionnaire (GDPR Art 5 (2))

  • (Translation, highlights by myself)
    Accountability Review
    according to Art. 5 Para. 2 GDPR
    Posted December 04, 2018
    Case number:

    We kindly ask you to answer the following questions in full and send the requested documents based on Art. 58 GDPR by January 31, 2019 at the latest.

    Basic concept

    1. Is there a data protection guideline(/policy/directive) in the company?
      • Yes. Please send us a copy of the guideline.
      • No.
    2. Has a data protection officer been appointed and reported to the supervisory authority?
      • Yes. ____________________________________
      • No.
    3. What are the tasks of your data protection officer in this function (short description)?
    4. Does the data protection officer perform other functions in or for the company?
      • Yes. Please describe them briefly.
      • No.
    5. If there are several locations or branches of the company, are these integrated into a uniform data protection concept?
      • Yes. Please send us a copy of the data protection concept.
      • No.
    6. Do these locations or branches independently decide on the purposes and means for processing personal data?
      • Yes.
      • No.
    7. Are internal responsibilities with regard to data protection-relevant processes or procedures (e.g. training of employees, reporting of data protection violations, …)?
      • Yes. Please send us a copy of the written specifications.
      • No.
    8. Are there rules for internal controls to ensure compliance with data protection regulations?
      • Yes. Please send us a copy of these rules.
      • No.
    9. Please describe briefly how the company is dealing with inputs by the data protection officer (e.g. reports, statements or similar)

      List of processing activities (Art. 30 GDPR)

    10. Is there a complete list of processing activities?
      • Yes. Please state the number of processing activities.
      • No. Please give the reason.
    11. Please describe the method used (e.g. purpose, means, process, IT system, …) to determine the individual processing activities.
    12. Please describe the rules on how the directory of processing activities is managed (e.g. updates or with regard to change history and powers, etc.).

      Uniform risk model

    13. Is there a document that provides a company-wide understanding of data protection risk?
      • Yes. Please send us a copy of this document.
      • No.
    14. Please describe how, in your opinion, the damage to the rights and freedoms of natural persons should be understood when evaluating data protection risk.
    15. Please describe which scales are used to model the likelihood of occurrence and severity of a data protection risk in the company.
    16. Please describe how you ensure that all relevant positions understand the difference between the corporate risk (focus: corporate values) and a data protection risk (focus: rights and freedoms of natural persons).
    17. Is the risk model known to those responsible for data protection as well as the company data protection officer and the information security officer?
      • Yes.
      • No.

      Privacy compliant data processing

    18. Is there a documented legal basis for the processing of personal data for every processing activity according to Art. 30 GDPR?
      • Yes.
      • No. Please give the reason.
    19. Is there a documented legitimate interest assessment if processing is based on a “balancing of interests” according to GDPR Art. 6 Para. 1 lit. f?
      • Yes.
      • No. Please give the reason.
    20. Are consents within the meaning of Art. 4 No. 11 GDPR designed in accordance with the requirements of Art. 7 GDPR and can they be withdrawn at any time?
      • Yes.
      • No. Please give the reason.
    21. Describe the contexts in which the data subject’s consent is obtained.
    22. Send appropriate samples of the declarations of consent you are using.
    23. Has a threshold value analysis (i.e. risk assessment) been carried out for each processing documented in the directory according to Art. 30 GDPR to prepare the question of whether a data protection impact assessment has to be carried out?
      • Yes.
      • No. Please give the reason.
    24. Please name the processing activities for which you have determined the need to carry out a data protection impact assessment in accordance with Art. 35 GDPR and provide us with the documented results of the data protection impact assessments.
    25. Is there a deletion concept (e.g. according to DIN 66398) that also regulates the handling of archives and backups?
      • Yes. Please send us a copy of this concept.
      • No. Please give the reason.
    26. Are adequate measures in place to ensure confidentiality, integrity and availability according to GDPR Art 32?
      • Yes. Please send us the security concept.
      • No. Please give the reason.
    27. Is there a process (Plan-Do-Check-Act) to ensure the effectiveness of the measures under Art. 32 GDPR?
      • Yes. Please send us a description of this process.
      • No. Please give the reason.
    28. Please describe how Privacy by Design is conceptually implemented in accordance with Art. 25 Para. 1 GDPR, taking particular account of the principles of data minimization and compliance with the purpose limitation in the processing activities in the company.
    29. Does a uniform audit methodology apply to audits by the data protection officer?
      • Yes. Please send us copies of the last two audit reports.
      • No. Please give the reason.
    30. Please describe how it is ensured that processors are selected in accordance with Art. 28 GDPR on the basis of a suitable risk model and effective technical and organizational measures based on them (in accordance with Art. 25 Para. 1 GDPR).
    31. Please describe how it is ensured that (for sub-processing) the legal basis of the so-called second level for data transfers to third countries is correctly designed.
    32. Is there a uniform encryption concept?
      • Yes. Please send us a copy of the written specifications.
      • No. Please give the reason.
    33. Does a uniform pseudonymization concept exist?
      • Yes. Please send us a copy of the written specifications.
      • No. Please give the reason.
    34. Are there processing activities in the company for which there is a joint controllership pursuant to Article 26 GDPR?
      • If yes, please describe this processing in key words and submit the corresponding agreements on joint responsibility for two of these processing processes.
      • No.

      Dealing with data subject rights

    35. Has a process been implemented to deal with information claims under Art. 15 GDPR?
      • Yes. Please describe this process.
      • No. Please give the reason.
    36. Please describe how it is ensured that the personal data of those affected can be quickly and completely available from all existing systems and, if applicable, branches.
    37. Are data subjects transparently informed about all processing activities documented in the directory according to Art. 30 GDPR in accordance with Art. 12 ff. And, if applicable, Art. 21 GDPR?
      • Yes.
      • No. Please give the reason.
    38. Has the website (s) been revised since May 25, 2018 in such a way that they are sufficiently informed about the data processing (the website) in accordance with Art. 13 GDPR?
      • Yes.
      • No. Please give the reason.

      Please send us a complete list of all domain names for your company.

    39. Has a procedure been implemented to ensure compliance with the deadlines regarding the rights of the data subjects pursuant to Art. 14-22 GDPR?
      • Yes. Please describe this procedure.
      • No. Please give the reason.
    40. Has a procedure been implemented to respond to requests from data protection supervisory authorities regarding data protection complaints received there?
      • Yes. Please describe this procedure.
      • No. Please give the reason.
    41. Are training documents available with which the persons who are involved in the processes to ensure the rights of those affected are properly informed?
      • Yes. Please send us a copy of these documents.
      • No. Please give the reason.
    42. Have you considered how to respond to a data subject’s application for data portability in accordance with Art. 20 GDPR? If necessary, please describe your considerations.
    43. Have you already made such an application?
      • Yes.
      • No.

      Dealing with data protection violations

    44. How many data protection violations according to Art. 33 GDPR have you become aware of since May 25, 2018 and how many of them have been reported to the supervisory authority or only documented within the meaning of Art. 33 Para. 5 GDPR?
    45. Please describe how data protection violations are recognized in the company according to Art. 33/34 GDPR.
    46. ​​Please describe how you can identify, document and process data protection violations that occur with service providers (also in third countries).
    47. Does the risk model for classifying data protection risk also apply to data protection violations according to Article 33/34 GDPR?
      • Yes.
      • No. Please give the reason.
    48. Describe the process in the event that a high risk for data subjects is identified in the event of data protection violations.
    49. Describe to what extent it is guaranteed that data protection violations will be reported to the responsible supervisory authority within 72 hours (including on weekends / public holidays).
    50. Has it been clarified and documented at which positions in the company the registration period of 72 hours starts?
      • Yes. Please tell us these places: _______________________
      • No. Please give the reason.
  • DPA Liechtenstein – Verfahrensbeschreibung für Datenschutzüberprüfungen

    Process description for data protection inspections / privacy inspections / audits.

    In a first step, the DPA is gathering information and statements based on a questionnaire.

    In addition, the DPA regularly requests the following information in an electronic format or on paper:

    • Records of processing activities (GDPR Art. 30 (4));
    • Information to the affected persons (GDPR Art. 13 and 14);
    • Templates of consent forms (GDPR Art. 7);
    • Information about data protection trainings of employees;
    • Contracts with processors (GDPR Art. 28 (3)) or other current contracts with external parties that get in touch with personal data, such as hardware and software partners, software vendors, application service providers, in which the applicable data protection controls need to be emphasized;
    • Documentation of data breaches (GDPR Art. (5));
    • Data protection impact assessments (GDPR Art. (35)).

    In order to assess compliance to GDPR and the effectiveness of the controls, the DPA regularly asks for

    • Organisational structure
    • Privacy directive (privacy policy), security policy, emergency planning
    • Review and audit reports – esp. in context of IT in scope
    • Basic documentation of the IT infrastructure (hardware and software in use)
    • Access control concept, especially access rights of administrators, external staff, sub-processors and other external parties
    • Policies, instructions to users for the use of IT
    • Non-disclosure, confidentiality agreements and other relevant instructions/agreements
    • Controls and arrangements regarding the retention time and deletion of personal data (deletion concept)

    GDPRhub – a free and open wiki on GDPR insights across Europe

    powered by and others

    From their Welcome page:
    “In the decisions section we collect summaries of decisions by national DPAs and courts in English. The summaries can be searched by relevant GDPR article, issuing DPA or deciding court. Every day we monitor more than 50 webpages in each Member State. This page currently contains 300+ decisions and the goal is to reach 500+ by the end of 2020. We believe a good overview of national decisions is a key to a pan-European debate on the interpretation of contentious GDPR issues. Get all new decisions delivered right to your mailbox and subscribe to the GDPRtoday newsletter!

    In the knowledge section we collect commentaries on GDPR articles, DPA profiles, and 32 GDPR jurisdictions (EU + EEA). In this database you can find anything from the phone number of the Icelandic DPA to a deep dive into each article of the GDPR.”

    DPA Ireland Guidance Notes: Legal bases for processing Personal Data

    December 2019

    “If processing of sensitive ‘special category’ data is necessary as part of performing the contract, controllers will also need to identify a separate exception to the general prohibition of processing such data, because contractual necessity alone does not fulfil the requirements of Article 9 GDPR. Thus, as with all processing of such special category data, the controller will need both a legal basis – in this case, necessary for the performance of a contract – as well as fulfilling a condition under Article 9(2) which allows for the processing that type of personal data – such as the fact that the data have been ‘manifestly made public’ or the processing is necessary to establish, exercise, or defend a legal claim.”

    Netherlands: Interesting DPA action over processing of pseudonymized data

    Below bits via Google translate from Press release below:
    “The Dutch Data Protection Authority (AP) has reprimanded the Alliance for Quality in Mental Healthcare (Akwa GGZ) for processing personal health data. According to the privacy law, this is prohibited because health data provide sensitive information about a person. Processing is only allowed in exceptional cases. Akwa GGZ has taken over a set of insufficiently anonymized health data from the Benchmark GGZ (SBG) foundation since the beginning of 2019. Akwa GGZ has thus processed health data, while this processing cannot be based on an exception to the prohibition.

    SBG and Akwa GGZ conduct quality research in mental health care. At the request of the care institution, patients complete a questionnaire so that mental healthcare providers can be benchmarked on treatment effect and customer satisfaction. This so-called Routine Outcome Monitoring (ROM) data went to SBG via Zorg TTP after pseudonymisation. After an enforcement request, the AP investigated the SBG’s working methods and tested them against relevant laws and regulations.”

    “The AVG defines personal data as all information that can be traced to the person. The AP has analyzed all steps from the delivery of data by the patient to the processing of that data by SBG. This shows that SBG did not use randomization techniques when SBG received the data. The key for pseudonymisation also remains the same.

    The AP finds that SBG has taken insufficient technical guarantees on the data set to eliminate the risks of traceability. The ROM data is therefore not anonymous and can be traced back to the person. At the start of 2019, Akwa GGZ took over the dataset from SBG. SBG and Akwa GGZ thus processed personal data about patients’ health.”

    Germany, Federal DPA: 9.550.000 EUR fine on 1&1 Telecom Gmbh

    The BfDI had become aware that callers could obtain extensive information on further personal customer data in the customer care of the enterprise alone by giving the name and date of birth of a customer. In this authentication procedure, the BfDI sees a violation of Article 32 GDPR , according to which the company is obliged to take appropriate technical and organizational measures to systematically protect the processing of personal data.

    After BfDI had raised the concerns, 1 & 1 Telecom GmbH was transparent and very cooperative. In a first step, the authentication process was first secured by requesting additional information. In a further step, 1 & 1 Telecom GmbH is currently introducing a new authentication procedure which has been significantly improved in terms of technology and data protection, in consultation with the BfDI .

    Despite these measures, the imposition of a fine was necessary. Among other things, the infringement was limited only to a small proportion of customers, but presented a risk to the entire customer base. In determining the amount of the fine remained BfDI due to the cooperative throughout the process behavior by 1 & 1 Telecom GmbH in the lower Range of possible penalty.

    Netherlands, DPA: Cloud storage of patient data reviewed by Dutch DPA — and found GDPR compliant

    The Dutch Data Protection Authority (AP) sees no reason to initiate a more detailed investigation into possible violations of the GDPR by MRDM when storing medical data on a cloud platform. This concerns personal data originating from Dutch hospitals. Public questions have been asked about how the organization works. The privacy regulator has obtained information on this from MRDM. – MDRM is a third party IT Services provider processing patient data for Dutch hospitals.

    MRDM in turn uses a sub-processor (apparently Google) for the storage of that personal data. This sub-processor is a cloud platform that is located outside the EU. The storage of data is done via the cloud. The ‘exploratory investigation’ of the AP related to that last step: the processing of patient data in the cloud.

    As part of an explorative inquiry the DPA lookes at the storage, by MRDM’s sub-processor, of patient data in the cloud.
    Apparently, the following have been reviewed

    • the standard operating procedures,
    • the sub-processing agreements and
    • technical and organizational security measures.

    The personal data is stored in the Netherlands, the contracts with the cloud platform ensure that there is no international transfer of personal data to third countries outside the EEA. In addition, MRDM has informed the AP about how the data is protected.

    The decision of the Dutch DPA not to investigate further might be seen as a sign that n that GDPR compliance can be achieved in respect of cloud-based processing of patient data.

    DPA press release:

    Blog post by BakerMcKenzie:

    Media article: