DPA Liechtenstein published a description on the procedure for data protection inspections

24. June 2020

The Data Protection Authority of Liechtenstein (DPA) – Datenschutzstelle Fürstentum Liechtenstein –  recently published a description on the procedure for data protection inspections conducted by the DPA to provide transparent information on the process from the first contact until the completion of the audit.

The DPA distinguishes five kind of inspections:

  1. Investigations in individual cases on the basis of complaints or indications;
  2. Preventive or unprompted investigations in the form of data protection checks;
  3. Investigations at the request of a responsible person or processor;
  4. Investigations based on a legal mandate;
  5. Coordinated joint investigations.

According to the published statement the purpose of a data protection inspections is to assess the actual situation (current status) established by the reviewed organisation and, if necessary, to bring data processing activities into compliance with the GDPR or the DSG  in a specific way and within a specific period of time, in particular by giving instructions (target status).

The process depends on the individual case and the individual steps can be repeated or may be executed in a different order, but basically the process contains 6 steps:

  1. Contact and announcement;
  2. Document check;
  3. (optional);
  4. Audit report;
  5. Exercise of remedial powers and injunction;
  6. follow-up test.

The DPA also focuses on the accountability and cooperation obligations of the controller and explains which documents are usually requested and reviewed and which have an impact on the report.

Inter alia, the following documents are requested:

  • Records of Processing Activities;
  • Information of the Data Subjects;
  • Model consent form;
  • Information on Data Protection Trainings of employees;
  • Contracts regarding Data Processing on behalf;
  • Data Protection Impact Assessments.

Furthermore, the DPA also requests documents to be able to evaluate the effectiveness of the implemented technical and organisational measures, like:

  • Organization Chart;
  • Authorization Concept;
  • Confidentiality and Non Disclosure Agreements;
  • Data Deletion and Retention Concept.

To assess the current status, an evaluation scale is used to assess the degree of implementation of the respective measure. This ranges from ‘Not available’ to ‘Optimized’.

The duration of the assessment depends on the individual case and may take several months.

The statement is accessible in German only.

Category: GDPR · General Data Protection Regulation
Tags: