Companies ask many questions about the implementation of data protection. The data protection officers welcome this, but cannot answer all inquiries immediately.
The General Data Protection Regulation (GDPR) requires the data protection supervisory authorities to be adequately equipped with staff and resources. But the number of submissions is high, because many companies not only want to be checked, but also advised. The data protection supervisory authorities are seeing increasing demand from companies and authorities – and are hoping for more employees.
Stefan Brink – data protection officer for the state of Baden-Württemberg – has a good 60 employees available for data protection. “The state parliament has always supported us in recent years,” he says, for example in building an education center and hiring specialists. They could advise start-ups and other companies on topics such as data and AI. According to their own information, Brink’s employees gave advice on data protection issues a total of 4,200 times last year – almost as often as complaints were submitted: the Baden-Württemberg State Data Protection Commissioner (LfDI) counted 4,700 corresponding reports last year.
The authority of the Hamburg data protection officer Thomas Fuchs also confirms the trend. 23 employees work on the Elbe for data protection alone, and three additional positions are to be added in the next two years. Complaints were filed 2,770 times last year – and the supervisory authority recorded almost 1,200 consultations.
Too many inquiries about GDPR
The IT interest group Bitkom recently published a survey among companies on GDPR implementation and problems, which also included data protection supervisory authorities. A mixed picture emerged. While in 2021 about two thirds of the companies complained about a lack of advice, it is now only 52 percent. However, 27 percent of the companies stated that they had asked the supervisory authorities, but received no answer.
This is regrettable, says NRW data protection officer Bettina Gayk: “For example, we have to postpone some company inquiries due to the large number of further entries – around 12,000 a year. We do this primarily in cases in which companies clearly ask questions which management, the company’s legal department or company data protection officers should be able to easily answer themselves.” As a rule, however, at least one piece of information is given that the request cannot be processed promptly. However, in a country as large and diverse as North Rhine-Westphalia, the data protection supervisory authority can only advise on key issues and fundamentally new issues.
Data protectionists: Fear of supervisory authorities unfounded
According to Bitkom, 16 percent of the companies that do not want to contact the data protection supervisory authorities stated that they were afraid that the data protection officers would then become aware of internal problems. The data protection supervisor from North Rhine-Westphalia is wrong: “As a rule, we don’t actually use requests for advice as an opportunity to impose fines, but generally let it go if companies follow our recommendations,” she said when asked by voonze online .
In addition, there is a ban on the use of evidence for administrative offense proceedings or criminal proceedings within the framework of the GDPR for content that must be communicated as part of a notification of data protection violations or a notification of data breaches. Among other things, the provision is intended to enable whistleblowers to involve data protection supervisory authorities – the ban on the use of evidence can only be lifted with the consent of those reporting or those affected.
Hamburg’s data protection officer, Thomas Fuchs, sees it positively that a large number of companies are apparently not afraid to communicate with their data protection supervisory authority: “I am deeply convinced that projects that are supposed to be data protection obstacles, which would actually also be possible in accordance with data protection, are often not implemented.”
A basis of trust probably exists with “numerous companies”.
Baden-Württemberg’s data protection officer Stefan Brink takes a similar view. Advice and supervision can be reconciled very well: “When we give advice, we don’t use what we know to then carry out an inspection,” he says. However, advising companies or authorities would not mean a free ticket for them. Action is also taken against authorities that have previously been advised by them – if “complaints are received about a company or an authority”. However, he has the impression that numerous companies have now developed a basis of trust in the supervisory authorities. This is helpful for both companies and data protection authorities.
Supervisory authorities need capacities
In order for this to succeed, however, the supervisory authorities above all need capacities. In June, Lower Saxony’s data protection officer, Barbara Thiel, also pointed out that her equipment is currently not sufficient to carry out her duties. With the exception of the Federal Data Protection Commissioner, the respective state parliaments are responsible for the budgets of the data protection supervisory authorities. And their householders are currently advising what expenses will be necessary in 2023 in economically and politically turbulent times.
When asked by voonze online, Baden-Württemberg’s data protection officer, Stefan Brink, made no specific demands. In any case, one position will have to be filled in the state in 2023: that of the state data protection officer. After one election period, Brink wants to stop. A successor has not yet been elected, and the transparent and open procedure that critics believe is not in sight.
Whether the green-black state government under Prime Minister Winfried Kretschmann will find a successor faster than the red-green-red Senate in Berlin is an open question: State data protection officer Maja Smoltczyk would have actually left there last fall – the search for a successor however, turned out to be extremely complex. On October 6th, Meike Kamp, a new state commissioner for data protection and freedom of information, will finally be elected by the Berlin House of Representatives.
