2016
Finished: Finished

Start: 2016
End: 2016


Brief description
In recent years, the number of international transfers of personal data in the private sector enourmously increased. One reason for this development is the economic globalization as well as the continuous spread of services and products of the so-called Cloud Computing. Even small and medium-sized enterprises in Germany use many of these external services to transfer personal data (e.g. of customers, employees or applicants).

However, many of these services are offered by US companies - and therefore usually require the transfer of personal data to the US and/or other non-EU countries. The experience of the German data protection authorities (DPAs) so far shows that companies are not always aware of the fact that with the use of such products a transfer of personal data to non-EU countries takes place.
Legal basis
BDSG
Number of companies audited
500

Audit documents:
Subjects
Press release

Start: 2016
End: 2017


Brief description
In the years 2013, 2014 and 2015 we already audited companies by questionnaire and subsequent onsite inspections. Focus of these audits have been the implementation of important data protection legal frameworks such as Data Protection Official, structured process directory, regulations on contract data processing, IT security concepts, etc. About 350 organisations in Bavaria have been examined by such audits of the BayLDA.

However, we repeatedly recognize companies that need to improve still a lot regarding to data protection. The main aim of these reviews is to reduce the number of complaints from employees and customers - and also the number of data breaches.

For this audit on data protection organisations in the first half of 2016 we selected randomly over 50 companies and contacted them in a first step with our questionnaire.
Legal basis
BDSG
Number of companies audited
85

Audit documents:
Subjects
2015
Finished: Finished

Start: 2015
End: 2015


Brief description
Many companies operating dating websites are located in Bavaria. This variety is covering every size, from big players with a significant market share to smaller dating websites concentrating on niches. However, they all have in common that they are handling very sensitive personal data. This is the reason why the BayLDA has decided, together with other supervisory authorities from Berlin, Hamburg and Baden-Wuerttemberg, to take a closer look at these business models. We have been examining, if the data processing is carried out in accordance with data protection laws.
Legal basis
BDSG
Number of companies audited
10

Audit documents:
Subjects
Announcement
result
Finished: Finished

Start: 2015
End: 2016


Brief description
Real estate agents are collecting and storing lots of personal data, including very sensitive personal data. This is the industry-wide state of play. We want to know, which personal data is collected regarding which exact purpose and the exact moment. Thereby, a costumer can be informed which personal data can be collected at a certain time. Furthermore, you can distinguish between legally collecting relevant personal data regarding buying or renting a property and personal data which cannot legally get collected. In conclusion, we want to raise the general data protection awareness.
Legal basis
BDSG
Number of companies audited
86

Audit documents:
Subjects
Finished: Finished

Start: 2015
End: 2016


Brief description
The reason why we conducted such a large-scale investigation regarding the handling of applicant's personal data is the fact that many citizens inquired about it and file complaints regarding this issue. Furthermore, we have been concerned by the question how applicant's personal data is handled within a company. E.g. it has been unclear how the department at hand with the available opening is handling personal data forwarded by the HR department from the point of view of data protection and data security. The goal of our large-scale investigation has been to supervise companies handling applicant's personal data and to raise even more awareness. On the one hand, the questionnaire included legal questions, such as the time period of storing personal data after the application process is concluded. Another legal question was focused on the internal procedure of forwarding personal data and the question if such personal data has been transferred to a third party, e.g. personnel service providers. And if an applicant would be asked for his/her consent in due time beforehand. On the other hand, there have been technical questions, e.g. if there is a encryption method regarding sending an email application or if tools are used to analyze the reach measurement.
Legal basis
BDSG
Number of companies audited
74

Audit documents:
Subjects

Start: 2015
End: 2016


Brief description
The right to obtain information is a fundamental data protection right. The goal of our BayLDA's project obtaining information has been to inform the public regarding this data protection issue. Moreover, we wanted to motivate data subjects to inquire about who has which personal data concerning themselves. The BayLDA wanted to know, which interests data subjects have concerning data processing by a third party, especially how the right to obtain information is handled on a practical level. Last but not least, the results, i.e. the practical experiences, should help to draft detailed guidelines in order to help companies to answer these requests in accordance with the law.
Legal basis
BDSG
Number of companies audited
188

Audit documents:
Information sheet
2014

Start: 2014
End: 2014


Brief description
The BayLDA has conducted an automated online investigation targeted at mail servers of Bavarian companies in order to supervise the use of certain encryption methods protecting personal data via email communications. By means of on-site inspections at Bavarian controllers, the BayLDA concluded that especially the secure configuration of an email server and the protection of personal data deriving from it are often disregarded by controllers. Therefore, there is a need to improve the IT security.
Legal basis
BDSG
Number of companies audited
2236

Audit documents:
Press release
2013
Finished: Finished

Start: 2013
End: 2013


Brief description
One tool by Adobe, which is widely used, is Adobe Analytics (Omniture). The Bavarian State Authority on Data Protection with regard to the private sector has concluded an online examination in order to determine if this tool can be used in accordance with data protection laws.
Legal basis
BDSG
Number of websites audited
10.238

Audit documents:
Subjects
2012
Finished: Finished

Start: 2012
End: 2012


Brief description
Many website operators are using website tools in order to track the user's behavior (so called tracking tools). Via these tracking tools, a website operator is able to measure the reach of the website, to analyze the online behavior of website visitors, to understand how many visitors are using the website, where they are coming from and the relevant target group. A very widely used tracking tool is "Google Analytics" by Google. The BayLDA has examined 13.404 Bavarian websites in order to supervise the compliance with data protection laws by using Google Analytics.
Legal basis
BDSG
Number of websites audited
13.404

Audit documents:
Subjects
International
Finished: Finished

Start: 2015
End: 2015


Brief description
Children's data protection has been the main focus of the International Sweep Day 2015. In total, 28 data protection authorities from all around the world participated. The main focus regarding our examination have been websites and apps, specifically targeted towards children up to the age of 13 years. We focused on popular websites regarding this target audience. The BayLDA did participate in this event as well, after we had already participated in the last two events. On the one hand, the BayLDA is supporting international cooperation. On the other hand, we think that children's data protection is becoming increasingly important in our digital age, especially because of smart phones and smart toys.
Legal basis
BDSG
Number of apps audited
50

Finished: Finished

Start: 2014
End: 2014


Brief description
For the second time, data protection authorities have been asked to participate with regard to the "International Sweep Day 2014", organized by the GPEN - Global Privacy Enforcement Network . The Canadian data protection authority initialized this event. The motto of this year's event has been "Mobile Privacy". In the contrary to the event of 2013, only apps have been examined. Therefore, pre-set examination criteria have been agreed upon. The goal has been to get an insight of apps available and to find out if there is a lack of transparency with regard to data protection requirements. Each data protection authority was able to decide independently which apps to examine, even outside of its own jurisdiction. After "International Sweep Day 2014", each authority could decide to engage with an even deeper analyzation of apps within its jurisdiction. The BayLDA did participate in this international event, alongside 25 other data protection authorities from different countries.
Legal basis
BDSG
Number of apps audited
60

Audit documents:
International result
result
Finished: Finished

Start: 2013
End: 2013


Brief description
In March 2010, data protection authorities from the OECD (Organization for Economic Co-operation and Development) and the APEC (Asia-Pacific Economic Cooperation) came together via the GPEN (Global Privacy Enforcement Network). The goal of this network is to improve cross-border cooperation. In this context, the GPEN asked data protection authorities from all 25 participating countries to engage in the "International Internet Sweep Day". This event has been tailored to examine websites, operated by private companies and individuals, and mobile apps with regard to transparency processing personal data. The BayLDA participated and examined apps by Bavarian companies.
Legal basis
BDSG
Number of apps audited
30

Audit documents:
Press release
Kurzpapiere des BayLDA
# Titel Download
1 Veröffentlichung zum Art. 32 DS-GVO - Sicherheit der Verarbeitung
2 Art. 42 DS-GVO - Zertifizierung
3 Videoüberwachung nach der DS-GVO
4 Recht auf Löschung („Vergessenwerden“) - Art. 17 DS-GVO
5 Verzeichnis von Verarbeitungstätigkeiten nach Art. 30 DS-GVO
6 Besondere Kategorien personenbezogener Daten - Art. 9 DS-GVO
7 Sanktionen nach der DS-GVO
8 Umgang mit Datenpannen – Art. 33 und 34 DS-GVO
9 Einwilligung nach der DS-GVO
10 Auftragsverarbeitung nach der DS-GVO
11 Datenübermittlungen in Drittstaaten nach der DS-GVO
12 Verarbeitung personenbezogener Daten für Werbung
13 Der One Stop Shop
14 Amtshilfe und gemeinsame Maßnahmen der Aufsichtsbehörden
15 Bedingungen für die Einwilligung eines Kindes, Art. 8 DS-GVO
16 Das Auskunftsrecht der betroffenen Person – Art. 15 DS-GVO
17 Verhaltensregeln – Art. 40 DS-GVO
18 Datenschutz-Folgenabschätzung (DSFA) - Art. 35 DS-GVO
19 Der Datenschutzbeauftragte (DSB) – Art. 37 bis 39 DS-GVO
20 Beschäftigtendatenschutz nach der DS-GVO und dem BDSG-neu