Data Protection Authority Of Bavaria, Germany, Intensifies GDPR Compliance Monitoring

Author:Mr Benjamin Beck and Ana Elisa Bruder
Profession:Mayer Brown

On 7 November 2018, the data protection authority of the Free State of Bavaria, Germany, issued a press release that, now that the European General Data Protection Regulation (GDPR) has been in effect for six months, the authority will intensify its GDPR compliance monitoring. The Bavarian data protection authority is responsible for monitoring GDPR compliance in the state of Bavaria within the non-public sector. The authority's intensified monitoring activities will, in general, concern cybersecurity vulnerabilities and GDPR information duties.

For example, the authority will monitor whether online shops whose operations are based in Bavaria and local doctors' practices have adequate cybersecurity measures in place. According to the authority, in recent months, online shops were increasingly the target of attacks in which the hacker tried to gather customers' payment information. In doctors' practices, increased use of "ransomware" has been reported. This type of malicious software allows an attacker to, inter alia, block access to certain data until a ransom is paid. The authority is also concerned with whether small and medium-sized companies have provided job applicants with sufficient information on how their personal data is processed in the company's application process.

Another focus of the authority's monitoring will be whether major companies satisfy their GDPR accountability obligations. Under the GDPR, the data protection authorities do not have to provide evidence of non-compliance. Rather, upon request, the data controller itself has to demonstrate to the respective authority that it is in compliance with its obligations. To collect information on the implementation of the GDPR within major companies, the Bavarian...

To continue reading