Privacy audits

The BayLDA is conducting data protection audits on a regular basis. This is part of our duties. These audits can be distinguished by reason, form and scope. On this page, we publish information with regard to on-site examinations of certain controllers. Primarily, we want to advice on selected large scale data protection audits, which we have conducted in the past. These have been conducted online as well as via written submissions.

Privacy audits
12/2018

Start: Open
End: Open


Brief description
In the context of a separate control deletion routines are to be examined with larger enterprises. The focus will be on the GDPR-compliant and timely deletion of personal data in ERP systems. To this end, it is planned to audit the use of SAP software in enterprises with regard to the existing modules or data deletion applications and to examine the necessary deletion concepts.
Legal basis
Art. 17 GDPR
Art. 25 GDPR
Target group
Larger enterprises with SAP-Systems
Selection criteria
Open
Number of companies audited
Open
Number of scheduled on-site audits
Open
11/2018

Start: Open
End: Open


Brief description
The GDPR has adjusted the notification threshold for so-called "data breaches" to the risk for natural persons resulting from a breach of safety. This led to a significant increase in notifications to the BayLDA pursuant to Art. 33/34 GDPR. What is striking about the notifications so far is that the cause of the risk lies almost exclusively with those responsible in Bavaria. However, since the GDPR also triggers a reporting obligation for those responsible for violations of safety by service providers (even in the case of further subcontracting), the BayLDA wonders why there are hardly any notifications triggered by (international) service providers. The examination should shed light on this question and deals with the "incident response" of larger and data-driven companies.
Legal basis
Art. 33 GDPR
Art. 34 GDPR
Art. 28 GDPR
Target group
Larger and data-driven enterprises with (presumably) many service providers in an international environment
Selection criteria
Manual selection of companies where a larger number of (international) contract processing operations can be assumed.
Number of companies audited
15
Number of scheduled on-site audits
7

Start: 16.11.2018
End: Planned to 21.12.2018


Brief description
The subject of this audit is the safe use of WordPress as a CMS. At the beginning of November 2018, a very critical vulnerability became known in an extension for WordPress installations. Up to and including version 1.4.2, the WP GDPR Compliance Plugin has a critical vulnerability through which attackers can easily take over the website.
Legal basis
32 GDPR
Target group
Website owner
Selection criteria
All Bavarian websites known to the BayLDA have been examined with regard to this plugin.
Number of websites audited
23
Number of scheduled on-site audits
0

Start: 06.11.2018
End: Open


Brief description
The GDPR requires the responsible organisation to demonstrate compliance with the GDPR (Art. 5 para. 2 GDPR). This "accountability" basically represents a "burden of proof reversal", which means that compliance with the legal requirements of the data protection authority must be demonstrated during a control. While in the case of large companies this can usually only be achieved by systematically structuring the business processes, the GDPR scales quite well in the case of SMEs (small and medium-sized enterprises). Compliance with data protection requirements can be achieved much less formally - many important points are enquired within the scope of this audit.
Legal basis
Art. 5 para. 2 GDPR
Target group
Small companies (from 100 employees) and medium-sized companies (from 500 employees)
Selection criteria
7 companies were selected for which there have been frequent privacy complaints at BayLDA lately. The other 8 companies were randomly selected.
Number of companies audited
15
Number of scheduled on-site audits
5 - 15

Audit documents:
Questionnaire
10/2018

Start: 30.10.2018
End: Open


Brief description
The subject of this audit is the secure use of online shop systems. Magento Shop installations are examined to determine whether all available important security patches have been applied to the systems and whether any known critical weaknesses have been eliminated. Furthermore, it is checked whether the responsible website operators have a regulated patch management process in place and whether they can implement the data protection obligations in dealing with security breaches if necessary (incident response).
Legal basis
Art. 32 GDPR
Target group
Responsible organisations in the eCommerce environment: Online shops with Magento software
Selection criteria
100 randomly selected online shops in Bavaria were preselected with regard to the use of Magento. 20 of these shops actively used Magento as their shop software and were checked in detail. The remaining shops use a different shop structure and were not examined in detail during this major audit.
Number of companies audited
100
Number of scheduled on-site audits
Open

Start: 24.10.2018
End: Open


Brief description
The processing of personal data in application procedures is investigated in the case of randomly selected responsible organisations. The focus is on the correct implementation of the duty to provide information to applicants, which should ultimately enable each applicant to learn how his or her data is handled.
Legal basis
Art 13 GDPR
Number of companies audited
15
Target group
Larger enterprises
Selection criteria
The companies audited were selected at random, but care was taken to ensure that they were large organisations.
Number of companies audited
15
Number of scheduled on-site audits
Open

Audit documents:
Covering letter

Start: 12.10.2018
End: Open


Brief description
Ransomware is malicious software that blocks access to data and then demands a ransom to make the data available again in its original state. Especially in the medical field, attacks using ransomware are often particularly critical, because in the absence of access to patient and treatment data, for example, treatments can no longer be guaranteed. In this area in particular, there is a great urgency to restore the data quickly. The BayLDA has therefore decided to audit doctors with questions about the handling and prevention of attacks using ransomware. The aim is to ensure that patient data is adequately protected against the threat of ransomware.
Legal basis
Art 32 GDPR
Art 33 GDPR
Art 34 GDPR
Target group
Medical practices
Selection criteria
When selecting the medical practices, care was taken to select medical specialties in which an attack by means of ransomware is particularly critical and it is therefore likely that the required ransom will be paid quickly. The final selection was then made at random.
Number of companies audited
8
Number of scheduled on-site audits
Open

Audit documents:
Questionnaire
Information sheet

Start: 01.10.2018
End: Open


Brief description
The GDPR requires the responsible organisation to demonstrate compliance with the GDPR (Art. 5 para. 2 GDPR). This "accountability" represents in principle a "burden of proof reversal", which means that compliance with the legal requirements of the data protection authority must be demonstrated during a control. This means that both the organizational structure of large companies is designed in such a way that other actors (e.g. the legal/compliance department or IT security) deal with data protection requirements in addition to the company data protection officer. In addition, three core processes in the company must be effectively designed in the so-called process organisation:

  1. Data protection-compliant processing
  2. Dealing with data subjects' rights
  3. Dealing with data breaches
Simply put the aim of the audit is to determine compliance with the GDPR in day-to-day business at large companies.
Legal basis
Art. 5 para. 2 GDPR
Art. 24 GDPR
Target group
Large-scale and data-driven enterprises
Selection criteria
Companies were selected for which the BayLDA assumes that they have already implemented the GDPR in the best possible way. The results of this audit will then define the "benchmark" to be achieved in future audits of other large companies.
Number of companies audited
3
Number of scheduled on-site audits
3

Audit documents:
Questionnaire
02/2018

Start: 08.02.2018
End: 29.08.2018


Brief description
Prüfungsgegenstand ist der sichere Einsatz sog. Content-Management-Systeme (CMS). Mit diesen Systemen lässt sich der Inhalt von Webseiten erstellen, bearbeiten und verwalten. Viele der weitverbreiteten Systeme, die meist als Open-Source kostenfrei genutzt werden können, verfügen jedoch über Sicherheitslücken, die je nach Grad der Ausprägung als kritisch einzustufen sind und dadurch den Schutz personenbezogener Daten gefährden. Aus diesem Grund ist es notwendig, durch gezieltes Patch Management vorhandene Lücken zu schließen und die vom Hersteller bereitgestellten neuesten Versionen einzuspielen, um so den vielfältigen Angriffsmöglichkeiten von Cyberkriminellen präventiv entgegenzutreten. Im Rahmen der Prüfung wird bei ausgewählten Websites, die ein potentiell attraktives Angriffsziel bieten, das CMS "WordPress" hinsichtlich der eingespielten Sicherheitspatches untersucht.
Legal basis
§ 9 translation missing: en.control_bdsg
Art. 32 GDPR
Target group
Websites
Selection criteria
The responsible organisations were selected according to two criteria:

  1. The website is an attractive target for cyber criminals due to its nature.
  2. There have already been security incidents in the recent past regarding the CMS used by the responsible organisation or similar organisations in the target group.
Number of websites audited
172
Number of scheduled on-site audits
0