an exemplary overview for the German Jurisdiction

In the following we outline the provisions for a data protection and data privacy audit in Germany. This is meant to give you an overview on the topic.

Data Business Services as small medium and large checklists for internal and external audits ready. We advise to do internal audits first and learn the topic, before calling an external auditor for a certification.

We can assist you in audits all over Europe.

I. The offence of Section 9a BDSG

The Federal Data Protection Act includes the procedure of a data protection audit to Section 9a.

The offence of Section 9a is as follows:

“In order to improve data protection and data security, suppliers of data processing systems and programmes and bodies conducting data processing can have their data protection concepts and their technical facilities examined and evaluated by independent and approved appraisers, and can publish the result of the audit. The detailed requirements pertaining to examination and evaluation, the procedure and selection and approval of the appraisers are stipulated in a separate act.”

Section 9a BDSG enables not an implementation of a data protection audit.

Section 9a BDSG is only a program norm which transfers the specified regulation to a (not yet been adopted) data protection audit law.

The offence differentiates between technical institutions and data protection concepts as objects of the audit. The particular control requires complete different procedures of auditing: For technical institutions is a product-audit necessary, for data protection concepts which must implemented by a data protection management is a system audit necessary.

II. Aim of a data protection audit

The data protection audit is a new instrument of data protection which wants to achieve a self-commitment and self-control of companies to continuous improvement through the appeal of advertising and the associated competitive effect. The aim is to generate data protection legal progress not by commands and prohibitions, but by volunteer self-regulation of economic units.

1. Support of self-responsibility

The data protection audit should be primarily a suitable instrument to require and support the self-responsibility of data processor for data protection. Data protection is quality feature for applications of information- and communication technology with growing significance and is understood as important competitive advantage.

The data protection audit enables in a verifiable way to advertise with data protection and data security. To make sure a continuous high level of data protection, the institution of a data protection management-system with recurring control and improvement through legal rules of conduct is essential. For the data processor the data protection audit means the opportunity to search after communication with the public with the positive test result and to draw deciding competitive advantages in keeping with the motto: “Do something good and talk about it”.

2. Over-obligatory improvement of data protection level

Material main aim of the data protection audit should be the continuous improvement of data protection and data security in the company. Till this point there aren’t strong incentives for the data processors to take own efforts for the improvement of data protection and data securing. The data protection audit enables to document these efforts, to prove and to award a prize and creates in this way the market incentive and to implement this in fact.

It shouldn’t confine itself to proof the compliance of data protection regulations which is general obligatory. Although the conformity of the system structure is primarily continuous external controlled with the legal requests of data protection.

The certification of a data protection management system be made limited by over-obligatory requests which the company undertakes beyond the legal minimal standard.

3. Data protection audit as learning system

The data protection audit is understood as learning system, because the aim of an over-obligatory data protection level can only achieved on this way.

Because of this the control focus is settled on the standardisation of the “learning process” in the particular data protection management system. A structuring of the learning process is implemented in the range of a complete company control by a inventory of processing of personal data by the data processor which sums all relevant requests of data protection law.

The knowledge of this inventory flows into data protection programs, concrete aims, measures and periods are set for them. In these positive and negative experiences with the implementation of existing data protection measures are coming in which defines another steps of improvement in reflected form.

With structuring of this learning process a new dynamic element is inserted in comparison with the so far rigid operating data protection officer who applies as institution (obligation order).

III. Conception of a data protection audit

The deciding tool to achieve the mentioned aims is the introduction of a data protection management system and its periodical recurring internal and external control and optimisation.

1. System audit

The data protection audit should be designed as system audit. On the other hand absolute product audit grips too short to comply the mentioned aims. A product audit is statistical and object-related, in contrast the data protection audit should initiate process related a dynamic learning process.

In the range of a data protection audit the skill of a company should be proofed and prizewinning to react flexible on changes of the information- and communication technologies and to master the challenges for data protection which are the continuous new results of this. The data protection audit doesn’t aims at the single evaluation of a product, but to achieve the skill to generate new solutions all the time and to improve continuous the data protection management system.

Part of the data protection audit is the functionality and usefulness of the in-house data protection management as new resource for data protection.

2.  Voluntariness

A further important point of data protection audit as instrument of refreshment of self-responsibility in the company is its voluntariness. The public represents the deciding regulation factor which should cause about the market demand of the company to participation on the audit. The data protection audit is even no base of an external regulation of others, but instrument of volunteering in-house self-regulation with public acceptance.

3.  Procedure

The auditing of a data protection concept takes place in the form that the data processing place performs a data protection company control which brings a data protection explanation as result which is checked and rated by an independent and admitted data protection expert.

A procedure according to the following action-items is recommendable:

(1) Data protection check

At the beginning of a data protection audit stands the implementation of a data protection check. This enables an inventory of the status of personal data processing and of the status in company applying data protection rules.

(2) Data protection policy

After inventory the provider written commits to data protection policy which regards the whole company.

(3) Data protection concept

Based on this the provider creates a data protection concept with concrete data protection aims and with the catalogue of concrete measures as well as a period plan for implementation of data protection policy for the particular application.

(4) Data protection management system

In parallel to the data protection program a data protection management system is established which determines the organisation structure, competences as well as procedures, processes and tools for realization of guidelines of the data protection concept.

(5) Periodical data protection audit

The company implements a data protection audit as a systematic and documented analysis in periodical recurrent time intervals. Content is the picture of organisation, of the management and of the company processes in conformity with the data protection policy and the data protection concept. The aim is to determine, if the striven improvement of data protection is achieved.

(6) Data protection statement

As result of the particular audit the company writes a data protection statement.

(7) Check and certification

In connection with the data protection statement this is checked and certificated by an admitted and independent data protection expert.

(8) Publication and registration

At positive validation by an external data protection expert the data protection statement will be published and transmitted to the responsible authority for registration in directory of the companies who are participate at the data protection audit.

(9) Advertising and marketing

Based on the registration in the audit directory the company is authorized to use the “data protection seal of approval” for advertising purposes.