10. BayLDA activity report for 2020 published

von Jan Schwemler

The Bavarian State Office for Data Protection Supervision (BayLDA) presented its tenth activity report for 2020 in July 2021. The activity report is drawn up on the basis of Art. 59 GDPR and provides information on the priorities and working conditions of the BayLDA as well as the data protection assessment of various case constellations.

Focus on the corona pandemic

As expected, the year 2020 was shaped by Corona for the BayLDA – both for its own work and with regard to all questions that arose in connection with fighting the pandemic from a data protection point of view. The focus was on questions such as the recording of contact data and access controls as well as video conferencing systems in the home office.

Focus on Schrems II and international data traffic

The BayLDA identifies the momentous decision of the ECJ of July 16, 2020, which overturned the EU-US Privacy Shield with the so-called Schrems II ruling, as a further focus. The BayLDA notes that the ECJ’s judgment only reminded of the already existing obligations of those responsible and processors, but did not set any new requirements. However, the authority also knows that the elimination of this practical solution for transatlantic data traffic means that small and medium-sized companies in particular are faced with a problem that is difficult to solve.

Increased procedures for binding corporate rules

At the same time, the BayLDA has increasingly dealt with the approval process for Binding Corporate Rules (BCR). The BayLDA sees as an explanation for this the belief of the corporations that BCR can provide more legal security for international data transfers within the group of companies. The BayLDA points out, however, that this is not necessarily the case. Because even with group-internal data transfers, companies must prevent data access by foreign authorities with additional measures.

New standard contractual clauses also provide little relief

The same problem with the prevention of data access by authorities in third countries also affects the new EU standard contractual clauses. Those responsible have been able to use these since June 21, 2021 and must replace the previously used standard contractual clauses by December 27, 2022. Even if the new standard contractual clauses do not solve all problems, they now represent more practical constellations between data importers and exporters. The BayLDA points out that the Commission has announced that it will publish accompanying FAQs that are intended to provide users with support for the standard contractual clauses.

Schrems II and the examination of the legal situation in the recipient country

In particular, checking the legal situation in the recipient country is unlikely to be practicable for small and medium-sized enterprises. Nevertheless, the BayLDA makes it clear that this test must be carried out and then documented. If the exporting company is unable to provide evidence of an adequate level of data protection in the recipient country, the supervisory authorities would have to prohibit the transfer of data.

Even if the BayLDA refers to recommendation paper No. 1/2020 from the European Data Protection Committee, the report admits that there will be data transfers that companies have carried out in the past, but which can no longer be carried out in compliance with data protection regulations.

Look at the numbers

In addition, the BayLDA cites some statistical figures in its activity report for 2020:

Slight decrease in the number of reported data protection breaches

The number of reported data breaches decreased compared to the previous year. 3,752 data breaches were reported in Bavaria.

230 fine proceedings carried out

In 2020, 230 fine proceedings were carried out. Parts of these still related to old proceedings from 2018. 64 fine proceedings were still open as of December 31, 2020.

Lots of open complaints

A total of 6,185 complaints and control suggestions were received in Bavaria in 2020. The BayLDA’s activity report shows that around 3,500 complaints were open in December 2020. Complaints also include so-called control suggestions, in which the reporting persons did not state that their rights were violated by data protection violations. In its report, the BayLDA explains that due to the limited resources, the processing of complaints is at the expense of prevention and counseling.

More information on the BayLDA website – less need for advice

Compared to the previous years 2018 and 2019, the number of consultations carried out decreased in 2020. The BayLDA carried out 2,657 consultations, with a little more than 1,000 being held by those responsible. The BayLDA sees the reason for the drop in numbers as the successful expansion of its information offerings on the website. Especially with a view to the many new questions in connection with the corona pandemic, the BayLDA could have anticipated many inquiries through the online information.

Action focus for 2021: online exams and questionnaires

According to the 10th activity report, the BayLDA intends to make unprompted examinations a focus of its supervisory activities in the current year with online examinations and questionnaires.

Companies should always be well prepared for data protection, also with a view to random checks by the BayLDA. It is the wrong way to deal with data protection until the supervisory authority has contacted you.

If you receive inquiries about data protection from BayLDA and do not know how to deal with it – come to us! As an experienced data protection officer, we support you in communicating with the supervisory authorities and are happy to accompany you during examinations.

Simply call us at the headquarters in Hutthurm on +49 (0) 8505 91 927 – 0 or in our Munich branch on +49 (0) 89 413 2943 – 0 or use our contact form.

assets/images/3/jan-schwemler-8c6d94ec.jpeg
Jan Schwemler

Auszubildender

Jan Schwemler absolviert bei der aigner business solutions GmbH eine Ausbildung zum Kaufmann für Büromanagement. Jan hat in der Wirtschaftsschule Passau kaufmännische Abläufe erlernt. Nun lernt er die Umsetzung in der Praxis kennen. Seine Kreativität, Talent für Bildbearbeitung und Leidenschaft für Videoschnitt darf er in unserer Marketingabteilung einbringen. Nicht zuletzt durch seine Mitarbeit dürfen sich unsere Kunden und Follower stets über neue interessante Inhalte auf unseren Social Media Kanälen und in unseren Newslettern freuen.

Schlagworte: GDPR, Data protection