Criteria catalogue GDPR for business
The State Commissioner for Data Protection (LfD) of Lower Saxony is currently auditing 50 large and medium-sized companies with regard to the implementation of the General Data Protection Regulation (GDPR). As a result of this examination, a catalogue with evaluation criteria was created. The LfD Lower Saxony offers this catalogue of criteria as a download to provide orientation for interested companies. We have taken a closer look at the catalogue for business.
Structure and scope of the catalogue
50 large and medium-sized companies were audited on the GDPR. The uniform assessment of the companies was carried out on the basis of specific criteria. The catalogue is subdivided into ten sets of questions containing a total of 200 individual criteria.
Companies should ask themselves the following ten essential questions in preparation for a GDPR examination:
Question 1: Preparation for the GDPR
How did you as a company prepare for the GDPR prepared? Describe (briefly) the procedure, which areas were involved and which measures were initiated. If not all measures have been fully implemented yet, please also explain the implementation status.
Question 2: Record of processing activities (VVT)
How did you ensure that all your business operations involving the processing of personal data were included in a register of processing activities? How do you ensure that it is kept up to date? Please attach an overview of your documented procedures as well as a sample procedure.
Question 3: Permissibility of processing
On which legal basis do you process individual-related data? If you also process personal data on the basis of consent, please enclose the samples you used.
Question 4: Rights of data subjects
How do you ensure compliance with the rights of data subjects (to information, disclosure, rectification, erasure, restriction of processing, data transferability)? Outline your processes in this regard and in particular go into detail about how you comply with your information obligations. Please enclose sample information.
External Data Protection Officer
You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.
Question 5: Technical data protection
- How do you ensure that your technical and organisational measures or those of your service providers guarantee a level of protection appropriate to the processing risk?
- How do you ensure that your technical and organizational measures are adapted to the current state of the art?
- How do you ensure that you have a documented data protection-compliant role and authorization concept for the IT applications you currently use or will use in the future?
- How do you ensure that data protection requirements are taken into account from the outset when modifying or developing new products or services (privacy by design and by default)?
Question 6: Data protection impact assessment
- How do you ensure that processing operations likely to present a high risk to the rights and freedoms of data subjects are identified and that a data protection impact assessment is carried out for them?
- Have you identified any processing operations in your company that are likely to present a high risk to the rights and freedoms of data subjects? Which ones? Please attach the respective documentation for the data protection impact assessment.
Question 7: Order processing
Have you adapted your existing contracts with contract processors to the new DSGVO regulations? If you are using sample contracts, please enclose them. In addition, please enclose a current sample contract with one of your contract processors.
Question 8: Data Protection Officer
How is your Data Protection Officer involved in your organisation? What proof of expertise does he have?
Question 9: Notification requirements
How do you ensure that your company reports data protection breaches to the supervisory authority in a timely manner? Outline your processes in this regard.
Question 10: Documentation
How can you prove that you have complied with all the obligations mentioned in points 2 - 9 above?
You can find more detailed information on the website of the State Commissioner for Data Protection of Lower Saxony at https://lfd.niedersachsen.de/startseite/
- COVID-19 and data protection - March 25, 2020
- Data protection in the USA - part 3 of the delegation visit - December 6, 2019
- Data protection in the USA - part 2 of the delegation visit - December 3, 2019