The State Data Protection Inspectorate has announced the first large scale GDPR inspection plan

​The State Data Protection Inspectorate on 05.02.2019 has announced the inspection plan for the year 2019. This is the first large scale inspection after entry into force of the new General Data Protection Regulation (GDPR) on 25 May, 2018. Therefore the inspected companies will face a challenge in verifying if their activities and documents comply with the provisions of the GDPR.

Currently 75 scheduled inspections are planned. The panned inspections are related to those business sectors where the amount of processed personal data is high and have a tendency for further growth, also taking into account the complaints received by individuals, as well as previously made inspections and their results.

Basically the following groups of business entities will be checked: 

Sports clubs

• on the lawfulness of the processing of biometric data, as the fingerprints are often used as a control method for the entry to the sports clubs.
  Sports and tourism goods and services companies
• on the implementation of the principle of data reduction in the processing of personal data for the purpose of conclusion and execution of lease agreements and
• on information obligation to the data subjects about the processing of their personal data.

Hotels

• on the implementation of the principle of data reduction in the processing of personal data of hotel guests.

Fast Credit Companies

• on ensuring the security of personal data processed for the purpose of conclusion and execution of consumer credit agreements.

State institutions

• on compliance of data processing contracts concluded with data processors with the requirements of the GDPR. According to the State Data Protection Inspectorate, in many cases State institutions are even more affected by the data protection violations compared to the private sector

Some announced inspections will be executed in written form (by e-mail correspondence), others at the place of data processing. Only 16 out of 75 controllers will be checked at the place, where the data is being actually processed. Most of the inspections will be carried out in written form, mainly in order to verify the implementation of the principle of data reduction and information obligation towards data subjects. Several companies will also be checked for compliance with technical and organisational security measures, by checking which IT tools ensure data security and what administrative measures ensure that data is stored securely.

Moreover, after the inspections will be finished, the State Data Protection Inspectorate will release its comments, which might be used by other companies to ensure correct processing of personal data. These comments should be studied closely by all data processors in order to ensure compliance.

The State Data Protection Inspectorate is also performing unscheduled inspections and can execute them even without prior notice in case it receives a complaint.