Current notes

Ansbach, 05.12.2017

Startup Nations Summit 2017 in Tallinn

The BayLDA participated in the Startup Nations Summit (SNS) 2017 in Tallinn, Estonia. This network for entrepreneurs and policy shapers provides a platform to discuss innovative ideas for startups. The BayLDA supported the Policy Hack at the SNS to help startups with regulatory challenges of the General Data Protection Regulation (GDPR). The goal of the BayLDA-team was to have five questions covering main topics such as purpose, awareness, risks, security and transparency of data processing, prepared as a starting point especially for startups in implementing the GDPR. To bring fast-paced startups and the data protection authorities together, the BayLDA is currently developing guidance how to understand easily the main points of the GDPR.

Ansbach, 24.11.2017

Road to GDPR - Self-assessment

As of November 25, 2017, there will only be six months left until the new European data protection law, the General Data Protection Regulation (GDPR), becomes effective. Therefore, the BayLDA offers an online-test for controllers that allows a data protection journey across the European Union in a playful way. With it, companies can see how far they are on their way to be compliant with legal data protection requirements. As a result, everyone who participates receives a detailed analysis of the chosen answers and a description of how we believe the requirements should be implemented.

Ansbach, 10.10.2017

BayLDA investigates website encryption

As part of the new cyber security initiative to protect personal data the BayLDA starts a additional online service on its website. The URLs entered there will be checked regarding the https encryption being state-of-the-art.

Ansbach, 04.10.2017

BayLDA evaluates the use of "Facebook Custom Audience"

The Data Protection Authority of Bavaria (BayLDA) examined recently 40 Bavarian companies whether and how they use the marketing tool "Facebook Custom Audience" to place targeted advertising on Facebook.

Ansbach, 05.07.2017

BayLDA publishes questionnaire regarding GDPR audit

On the basis of numerous requests, the BayLDA decided to publish the questionnaire regarding the GDPR audit also in English. The document can be downloaded as a PDF file below.

Ansbach, 05.12.2016

DPAs examined so-called wearables

The BayLDA participated in a nationwide audit of several German DPAs (together with six other supervisory authorities) and tested so-called "wearables". Focus of this audit were both fitness tracker and smart watches with health functions. In addition, the manufacturers' apps were examined in a technical analysis. The result of this audit: no device completely complies with data protection requirements.

Ansbach, 26.09.2016

Internet of Things: International audit results

This year the BayLDA participated in the annual international data protection action of the Global Privacy Enforcement Network (GPEN) - the so called International Sweep Week. The focus of the audit was on the Internet of Things. The result of this years audit has now be published. The press releases and a presentation of the detailed results can be downloaded below.

Ansbach, 21.09.2016

Decision of the Duesseldorfer Kreis regarding the continued validity of consent

The Duesseldorfer Kreis informs in the decision from 13./14. September 2016 about the continued validity of consent under the GPDR, as long as they comply with the terms of the GPRR. The decision can be downloaded below.

Ansbach, 26.07.2016

Thomas Kranig remains president

With effect from 1st August 2011, the BayLDA was established as an independent Data Protection Authority (DPA) for the non-public sector in Bavaria by changing the Bavarian Data Protection Act. The first president of this new DPA was choosen by the Bavarian State Government for the statutory term of five years: Thomas Kranig, who has been a judge with the Administrative Court in Ansbach. Now, the Bavarian State Government decided Thomas Kranig to entrust after his first term for another five years to be president of the Bavarian DPA. Therefore the Bavarian State Minister of the Interior, Joachim Herrmann, handed the certificate of appointment to the President of BayLDA for a further term of five years.

Ansbach, 22.07.2016

EU-US Privacy Shield adopted

On 12th July 2016 the European Commission adopted the EU-U.S. Privacy Shield. According to the Press Release of the European Commission on 12 July 2016 the US companies will be able to certify with the Commerce Department starting 1st August 2016. By doing so the US companies submit themselves to follow the rules of the EU-US Privacy Shield and gain the possibility to obtain personal data from Europe on the grounds of this framework. Based on this framework personal data from the EU can be transmitted to certified US companies (provided that also the remaining legal demands for a transmission of personal data are fulfilled.)

More information can be found in the section "International data processing".

Ansbach, 29.06.2016

External service providers in Bavarian hospitals

The two Bavarian DPAs (BayLDA and BayLfD) announced a guideline for hospitals for carrying out processing on behalf of external service providers. The guideline provides recommendations how to comply with the very strict Bavarian Hospital Act. However, the guideline emerged mainly through practical experiences of BayLDA and BayLfD audits and advisory activities from the last years. Both DPAs are planning data protection audits at hospitals and there external service providers for the second half of the year. The guideline can be downloaded below.

Ansbach, 23.06.2016

Checklist for mobile apps published

The BayLDA has published a checklist for investigating apps regarding technical data protection requirements. This checklist should support app-developers in designing new mobile applications compliant to the data protection requirements. In addition to that the paper may be helpful to implement new concepts such as Privacy by Design and Privacy by Default.

The app checklist of BayLDA developed mainly from practical experiences of BayLDA audits and best practice approaches from the private sector during the last years. The document was written in accordance with the guideline on the privacy requirements of app developers and app providers - that paper can be found on our website, too. The app checklist can be downloaded below.

Ansbach, 14.04.2016

EU-US Privacy Shield: Opinion from the Article 29 Working Party

The Article 29 Working Party has published an opinion and a press release about the EU-U.S. Privacy Shield. As a conclusion, the Article 29 Working Party has urged the European Commission to react to these concerns and provide further amendments accordingly in order to ensure an adequate level of protection by means of the Privacy Shield. Further information can be found in the section "International data processing".

Ansbach, 13.04.2016

The Internet of Things - BayLDA participates in the International Sweep Week


This year the BayLDA participates in the annual international data protection action of the Global Privacy Enforcement Network (GPEN) - the so called International Sweep Week. The focus of this years' audit is on the Internet of Things. Objects of the everyday life are increasingly technically upgraded, networkable an thus more integrated into the owner's digital life. The BayLDA is going to get granular on some smart devices - from toys, fitness trackers, networked cars to common household appliances. The result of this years' audit will first be reported to the organizers of GPEN - the supervisory authority of the United Kingdom. After that the BayLDA will publish its own results in detail. Meanwhile, the BayLDA will act in case of detected deficiencies within its jurisdiction to remedy these deficits.

The press release can be downloaded below.

Ansbach, 11.04.2016

Guideline for consent forms published


Companies, freelancers and other organisations are often faced with the question of how consent forms (e.g. in use of data for marketing, in a data transmission between group enterprises, etc.) can be defined and formulated to be legally compliant under the focus of data protection. Under the coordination of the Data Protection Authority of Bavaria for the Private Sector (BayLDA) the DPAs in Germany have now published a national coordinated guideline for this topic, which can be downloaded below.

Ansbach, 08.02.2016

Automobile: Common declaration of VDA and DPAs

Privacy in automobiles

Modern vehicles require many data for the functioning of the electronic components, e.g. as ABS, ESP, airbags etc. Lots of these data (like speed, braking, and steering movements) can be associated directly to the driver, for example after a crash or while a repair in a car workshop. Online applications, which enable the vehicle to receive current traffic and service information, are a new dimension of data processing. In order to ensure for sufficient data protection and security, the Data Protection Authorities have developed in dialogue with the association of automobile (VDA) a joint statement on data protection aspects in networked and non-networked vehicles as a first step.

The statement can be downloaded below.

Further notes

Ansbach, 11.12.2015

Be smart about finding a match online

Be smart about finding a match online

Together with the Data Protection Authorities of Baden-Wuerttemberg, Berlin and Hamburg, the BayLDA conducted an auditing of online dating websites (please see: Press release dated 24th of June 2015). 21 websites have been inspected German-wide. Among these 21 websites, 10 have been audited by the BayLDA. All of these 10 websites offer their services throughout Germany. For the first time, independent Federal State Data Protection Authorities have created a single auditing approach, coordinated their efforts and they have reviewed their findings during a conference.

From the BayLDA's point of view, it is very positive to note that each operator was very serious about answering our questions, complying with their obligation to provide information. Therefore, some of the answers spanned over 50 pages. Most of the websites did have a data protection officer. Furthermore, the website operators did focus on data protection issues setting up their services and conducting their businesses. Based on their answers, employees are regularly trained regarding data protection issues and data secrecy. This means that the requirements for handling personal data are - on a formal level - fulfilled.

However, issues have been identified regarding technical aspects of data security, handling requests by a data subject to provide certain information, drafting data protection clauses, manners to identify a user and accessing the content of communications. Now, as far as the BayLDA did reveal such problems, the respective operators are informed. They are requested to fix these issues - as long as they have not done so themselves in the course of the audit.

Further information regarding the findings are included in our press release.

Ansbach, 10.09.2015

Children's Online Privacy Protection - results of a worldwide audit

Children's Online Privacy Protection - results of a worldwide audit

The Global Privacy Enforcement Network (GPEN) has published the results of this year's "Sweep Day". The experiences by other Authorities (unfortunately) coincide with the findings of the BayLDA. As we have mentioned in the past, the BayLDA was participating in this year's Sweep Day as well.

Together with 28 Data Protection Authorities from around the world, the Bavarian State Authority on Data Protection for the Private Sector (BayLDA) has examined websites specifically desgined for children. Results include the lack of transparency and parental controll options in order to control or prohibite certain types of data processing.

Ansbach, 20.08.2015

A commissioned collection of personal data without a proper contract can be expensive

A commissioned collection of personal data without a proper contract can be expensive

If a controller allows a third party to process personal data on the controller's behalf, there needs to be a very detailed contract. Violating this rule by not providing such a contract or by not covering the relevant details, administrative fines are impending. The Bavarian State Authority on Data Protection for the Private Sector (BayLDA) has recently sanctioned such an inadequate contract with an administrative fine in the price range of a five digits sum.

Further informations to the needs of such a contract can be found in an infopaper in the website category "Info sheets & flyer" or below.

Ansbach, 30.07.2015

Costumer's Data with regard to a Mergers & Aquistion Deal - A problem of Data Protection

Costumer's Data with regard to a Mergers & Aquistion Deal - A problem of Data Protection

Personal data of consumers are often very valuable, especially in order to contact someone with a personalized sales promotion. If a company ceases operations, it regularly tries to sale valuable assets to another company via an asset deal. In a similar situation, an insolvency administrator tries to sell consumer's personal data. This information is often enough the only still valuable asset of a company being bankrupt.

However, two Bavarian companies needed to realize that one needs to be very careful in that regard. The BayLDA issued a penalty in the range of a 5 digits figure against two companies. Executing an asset deal, the buyer and the seller engaged in the unlawful transfer of consumer email addresses of an online shop. Therefore, both companies got fined. "With regard to asset deals, personal data is sold violating data protection laws. In order to raise awareness, we will continue to fine similar actions." said Thomas Kranig, President of the BayLDA.

With regard to the unlawful transfer of personal data, both companies, the buyer and the seller, are a "controller" in accordance with German Data Protection laws. Therefore, they are both responsible in accordance with the relevant provisions. The seller is "transferring" personal data, while the buyer is "collecting" it. Both acts, the unlawful transfer as well as the unlawful collection of personal data, are constituting administrative offences. Depending on the circumstances of each individual case, a fine might be up to 300.000 Euro.

Ansbach, 30.07.2015

Advertisement - What's allowed and what's not?

Advertisement - What's allowed and what's not?

Companies, associations and freelancers have a legitimate interest to advertise for their goods and services. However, they need to act in accordance with Data Protection Laws and the Act Against Unfair Competition. In that regard, requirements differ significantly regarding telephone, email, SMS and postal advertisements.

On one hand, postal advertisements are generally lawful, as long as there is no specific objection. On the other hand, advertisement targeting consumers via telephone, email and SMS are very often only lawful, if there is a specific consent. The BayLDA has compiled a new 4-page guide with regard to the legal framework. Advertising companies and citizens are able to quickly inform themselves in order to act in accordance with the relevant Data Protection Laws.
Further information can be found via the 14-page document (General Advice by the Data Protection Authorities on Collecting, Processing and Using Personal Data with regard to Advertisements). This document has been published by the BayLDA. It outlines the opinion shared by all German Data Protection Authorities.

Citizens, who think that advertisements have been violating their fundamental right of privacy, e.g. by violating a specific objection against receiving advertisements, may contact the BayLDA. The unlawful use of an email address and/or a telephone number are constituting administrative offences. Depending on the circumstances of each individual case, a fine might be up to 300.000 Euro.


Love in the Digital Age - BayLDA is examining Dating Website

Love in the Digital Age - BayLDA is examining Dating Website

The framework of this audit is a 25-page questionnaire which has been developed by all cooperating Data Protection Authorities. This questionnaire is consisting of legal and technical questions. It has been sent out to ten Bavarian companies, operating dating websites. These ten companies have partially been selected randomly. They have to answer these questionnaires within a fixed time limit.

The BayLDA is hoping to gain important knowledge and to understand, if data protection requirements are fulfilled with regard to these websites and relevant apps. After analyzing these questionnaires, the BayLDA will conduct a focused on-site inspection of two companies.

By way of this audit, the German Data Protection Authorties are underlying the fact that they can conduct a large scale audit in cooperation, even though there is a Federal System in Germany. Beneficiaries of this audit are the users of online dating websites. The collection, processing and use of personal data is supervised by a Data Protection Authority. If issues are revealed, companies must eliminate them swiftly.