Data Protection Academy » Data Protection News » Criteria catalogue GDPR for business

LfD Lower Saxony checks companies' compliance with the GDPR with a catalogue of criteria

Criteria catalogue GDPR for business

The State Commissioner for Data Protection (LfD) of Lower Saxony is currently auditing 50 large and medium-sized companies with regard to the implementation of the General Data Protection Regulation (GDPR). As a result of this examination, a catalogue with evaluation criteria was created. The LfD Lower Saxony offers this catalogue of criteria as a download to provide orientation for interested companies. We have taken a closer look at the catalogue for business.

Structure and scope of the catalogue

50 large and medium-sized companies were audited on the GDPR. The uniform assessment of the companies was carried out on the basis of specific criteria. The catalogue is subdivided into ten sets of questions containing a total of 200 individual criteria.

Companies should ask themselves the following ten essential questions in preparation for a GDPR examination:

Question 1: Preparation for the GDPR

How did you as a company prepare for the GDPR prepared? Describe (briefly) the procedure, which areas were involved and which measures were initiated. If not all measures have been fully implemented yet, please also explain the implementation status.

Question 2: Record of processing activities (VVT)

How did you ensure that all your business operations involving the processing of personal data were included in a register of processing activities? How do you ensure that it is kept up to date? Please attach an overview of your documented procedures as well as a sample procedure.

Question 3: Permissibility of processing

On which legal basis do you process individual-related data? If you also process personal data on the basis of consent, please enclose the samples you used.

Question 4: Rights of data subjects

How do you ensure compliance with the rights of data subjects (to information, disclosure, rectification, erasure, restriction of processing, data transferability)? Outline your processes in this regard and in particular go into detail about how you comply with your information obligations. Please enclose sample information.

External Data Protection Officer

You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.

Question 5: Technical data protection

  1. How do you ensure that your technical and organisational measures or those of your service providers guarantee a level of protection appropriate to the processing risk?
  2. How do you ensure that your technical and organizational measures are adapted to the current state of the art?
  3. How do you ensure that you have a documented data protection-compliant role and authorization concept for the IT applications you currently use or will use in the future?
  4. How do you ensure that data protection requirements are taken into account from the outset when modifying or developing new products or services (privacy by design and by default)?

Question 6: Data protection impact assessment

  1. How do you ensure that processing operations likely to present a high risk to the rights and freedoms of data subjects are identified and that a data protection impact assessment is carried out for them?
  2. Have you identified any processing operations in your company that are likely to present a high risk to the rights and freedoms of data subjects? Which ones? Please attach the respective documentation for the data protection impact assessment.

Question 7: Order processing

Have you adapted your existing contracts with contract processors to the new DSGVO regulations? If you are using sample contracts, please enclose them. In addition, please enclose a current sample contract with one of your contract processors.

Question 8: Data Protection Officer

How is your Data Protection Officer involved in your organisation? What proof of expertise does he have?

Question 9: Notification requirements

How do you ensure that your company reports data protection breaches to the supervisory authority in a timely manner? Outline your processes in this regard.

Question 10: Documentation

How can you prove that you have complied with all the obligations mentioned in points 2 - 9 above?

You can find more detailed information on the website of the State Commissioner for Data Protection of Lower Saxony at

Prof. Dr. Andre Döring

This might interest you too:

Whatsapp Privacy

WhatsApp and privacy

The messenger service WhatsApp is part of the Facebook group to which Instagram also belongs. At the beginning of 2021, Whatsapp announced an adjustment of its privacy policy. What can users do?

Privacy issues in 2020: Interview with the BfDI office

Learn more about: Data processing by Facebook, Goolge & Co. Fines imposed by regulatory authorities. The impact of brexite on data protection in Europe.

Experts take stock of the GDPR

DSGVO strengthens EU market power, enforcement must become more efficient, more clarity on interpretation by authorities and courts