In a recent Expert Webinar, Orrick attorneys and partnered with Prof. Dr. Dieter Kugelmann, , and Dr. Sven Polenz, Division Head at the , to discuss supervisory procedures conducted by data protection authorities under the ("GDPR"). The session offered insights into how supervisory authorities approach investigations, providing companies with a clearer understanding of their expectations.
General Data Protection Inquiries from Authorities
Triggers for General Inquiries
- Predominantly Occasion-Related. Most data protection inquiries are initiated by complaints from affected individuals such as customers, employees, or notes provided by third parties who are not directly affected ("Notes").
- Non-Triggered Inquiries. Authorities may also conduct audits without a specific triggering event. This can be perplexing for many companies, as they often struggle to understand why they have been selected for review. The experts clarified that the European Data Protection Board ("EDPB") periodically decides on topics or sectors for examination in inquiries. These inquiries may focus on specific processing activities, such as data storage or deletion periods in specific sectors like finance or health. In addition to the EDPB agenda, individual supervisory authorities may also define own focus areas.
Factors for the specific selection of companies include their size, measured by revenue or number of employees, and the significance of their data processing activities, such as cross-border processing, handling particularly sensitive data, and involving a large number of individuals in the data processing. - Impact of Artificial Intelligence on Inquiry Frequency. The introduction of Artificial Intelligence ("AI") raises the question of whether it will lead to an increase in general inquiries. While complaints have not been numerous so far, advisory requests are already increasing, particularly in the public sector. Larger companies are also engaging in regular discussions to align their strategic direction with authorities. However, an increase in complaints from individuals in the future seems likely. Depending on this, the authorities will adjust the inquiry frequency.
- Impacts of New Digital Laws. Many of the new digital laws are not yet in effect, so developments are still awaited. However, European expert groups are actively working on papers to address the interplay between the GDPR and the new digital laws (e.g., AI-Act, DSA, DMA, Data Act, etc.).
Conducting General Inquiries in Practice
- Questionnaires and Information Requests. In practice, authorities often prepare and send out specific questionnaires to request information. The speed and the quality of the response by the addressed companies may shed light on their overall compliance level. It is particularly important to understand how quickly a company, especially those with larger structures, can gather information from various departments and communicate it to the authority.
- Importance of a Coordinating 青青草视频 Person. From the authorities' perspective, it is highly beneficial when companies provide a coordinating contact person, such as the Data Protection Officer. This can facilitate more efficient resolution of inquiries, benefiting both parties involved.
Authorities also find it advantageous when the Management is involved.
From a legal practitioner鈥檚 perspective, it may not always be the right approach to have persons communicate with authorities who are not familiar on how to best represent a company in such a proceeding. There is always a fine line to walk between open collaboration and, sometimes, taking a more defensive approach, in particular if an enforcement proceeding cannot be excluded. - Key Considerations for Authorities in Evaluating Responses. Authorities expect questions to be answered specifically and concretely. If there are uncertainties regarding the scope of certain questions, companies are encouraged to seek clarification. A prompt and precise response generally makes a positive, potentially leading to a quicker resolution of the inquiry. Conversely, avoiding answers or providing incomplete responses may raise suspicions, prompting further investigations by the authorities.
- Consequences of Evaluations. Depending on the evaluation of the questionnaires, inquiries can be concluded without further action. If indications of violations are found, authorities may conduct data protection investigations or impose fines. However, such higher escalation levels are not common for general inquiries.
Specific Data Protection Investigations
- Predominantly Complaint-Driven. The vast majority of audits are triggered by complaints from individuals. While there are occasional Notes, these are not the norm. Additionally, there are situations where authorities await action from companies, such as in the case of data breaches.
- Strategic Use of Complaints. Complaints often raise the question of whether data protection is being used strategically in other disputes to gain an advantage. Authorities have noted that this can sometimes be the case, particularly in employment scenarios where disputes over termination or severance are involved, leading to the assertion of data protection claims.
The experts from the authority side emphasize that data subject access requests ("DSAR") under Article 15 GDPR are most frequently asserted. Companies should aim to provide reliable and thorough responses to such requests, as failure to do so can quickly lead to formal complaints. Authorities further explain that strategically using access rights for purposes beyond the immediate scope of data protection is legally permissible.
It was the common view DSARs can be fairly burdensome, it generally seems sensible to pursue a good faith approach, trying to provide as much relevant information as possible, and asking whether the individual has a specific issue which may better be addressed by providing specific information. - Authority Perspective on Examining Documents. When looking at documentation, for example, data processing agreements, supervisory authorities may learn a lot about the internal organization and processes of a company. For instance, whether contract management is centralized or not can be a point of focus. Privacy policies on websites serve as another example. The authority expert explains that policies generated by online tools, which do not provide the relevant information, do not shed a good light, and can prompt further inquiries from the authority.
- Periods of Silence from Authorities. Companies may sometimes experience extended periods without hearing from authorities, leading to uncertainty about how to proceed and what the underlying reasons might be.
The experts from the authorities explain that factors such as internal capacity constraints can contribute to these delays. Additionally, authorities might be awaiting pivotal legal rulings that could influence the direction of ongoing cases. Despite these factors they emphasize that it is the authority's obligation to either conclude or continue proceedings within a reasonable timeframe. If a case experiences significant delays, this can potentially be viewed favorably for the company involved, as it may influence discretionary considerations.
Building on this thought, the legal representatives indicated that it is sometimes better to remain calm and not inquire about the status.
Collaboration Between Authorities and Companies
- Communication Channels for Dialogue. Authorities offer channels for companies to discuss topics without immediately risking an investigation. These channels provide a platform for open dialogue, allowing companies to seek guidance and clarify uncertainties regarding data protection practices. This proactive approach can be beneficial for both parties, fostering a cooperative relationship and reducing the likelihood of adversarial interactions.
- Benefits of Engagement. Engaging with authorities through these channels can help companies build trust and demonstrate their commitment to data protection. It allows them to address potential issues before they escalate into formal investigations, thereby minimizing risks and enhancing their compliance posture. This collaborative approach encourages transparency and accountability, which are key elements in maintaining a positive relationship with regulatory bodies.
