The Liechtenstein Data Protection Authority describes the course of a data protection audit

Stefan Hessel

Controllers and processors typically have an interest in avoiding data protection audits, or at least ensuring that they go as smoothly as possible. A recent publication from the Data Protection Authority of the Principality of Liechtenstein affords insight into possible occasions for an audit and the documents which will be requested over the course of the audit.

The document issued by the Liechtenstein Data Protection Authority bears the somewhat clunky title "Process Description for Data Protection Audits" (PDF / only in german) and is dated 19 June 2020. Right at the beginning of this document from the Liechtenstein Data Protection Authority, which is responsible for both private individuals and public entities, is an explanation of the legal framework for data protection audits  in accordance with the GDPR, as well as possible occasions for an audit.

Occasions for an audit

According to this explanation, audits may be prompted e.g. by complaints or by information obtained by the authority. But the Data Protection Authority also conducts preventive, or unprompted, audits on an ex officio basis. According to the Liechtenstein Data Protection Authority, the decisive factor which goes into the selection of controllers for an audit is the risk arising from data processing. In particular, the authority takes into account the following sources and criteria in making this assessment:

  • the processor's website;
  • activity reports, annual reports and other publicly available information published by the processor;
  • past contacts with the relevant entity which reveal an inadequate understanding of data protection;
  • the introduction of new types of data processing for which there are specific public concerns about a possible invasion of privacy;
  • the scope and type of personal data to be processed;
  • the number, type and content of complaints against a specific category of processors;
  • the results of past data protection audits;
  • media reports.

Audits may also be conducted at the request of a controller or processor, based on a statutory mandate or as part of a coordinated joint audit conducted in conjunction with other European supervisory authorities.

Course of the audit

The data protection audit itself is broken down into six steps, whereby the authority explicitly provides for one or more steps to be repeated in some cases, or for steps to be skipped over. The course of an audit by the Liechtenstein Data Protection Authority consists of the following steps:

  • Contact and announcement
  • Document check
  • On-site inspection (optional)
  • Audit report
  • Remedies and order
  • Follow-up check

Of special interest: the document check

Of all the steps mentioned in the detailed presentation in this document from the Data Protection Authority, the one which is of greatest interest to controllers is the second, the "document check." In this step, not only does the authority obtain information and statements from the controller or processer by means of a questionnaire, but it also requires the subject of the audit to present numerous documents, to be provided either electronically or in paper form. The controller is required to send over the following documents:

  • records of processing activities (Article 30(4) of the GDPR);
  • information provided to data subjects (Articles 13 and 14 of the GDPR);
  • model declarations of consent (Article 7 of the GDPR);
  • information about data protection training provided to employees;
  • contracts with processors (Article 28(3) of the GDPR) and other current agreements with service providers which come into contact with personal data (e.g. hardware and supplier suppliers, application service providers), with an emphasis on provisions relating to data protection;
  • documentation of data breaches (Article 33(5) of the GDPR);
  • data protection impact assessments (Article 35 of the GDPR).

If the audit also covers technical and organizational data protection measures, the controller or processor will also typically be required to provide the following additional documents:

  • an organizational chart of departments engaged in data processing;
  • the audit subject's data privacy policy, IT security strategy and contingency plans;
  • audit reports and assessments from other entities, particularly those relating to the scope of the audit with regard to information technology in general;
  • basic documentation of IT infrastructure, and particularly the software and hardware used by the audit subject;
  • the authorization concept, particularly an explanation of access rights provided to administrators, external employees and service providers or other (external) entities;
  • instructions to users for use of IT equipment;
  • non-disclosure agreements and other relevant instructions;
  • arrangements concerning duration of storage and deletion of personal data (deletion concept).

Summary and recommendation

The "Process Description for Data Protection Audits" from the Liechtenstein Data Protection Authority affords interesting insight into the mode of operation which data protection authorities will adopt in their auditing activities. Of particular interest for controllers and processors, aside from the circumstances which may prompt an audit in the first place, are the documents which the data protection authority will request over the course of the audit. Controllers and processors can learn from this document, first of all, that avoiding complaints and reports of potential data breaches will minimize the risk of an audit by the data protection authority. It may also be possible to lower the risk of preventive, or unprompted, audits to a certain extent by influencing the criteria for selection. Controllers and processors can also keep the documents which will be requested by the data protection authority in the document check close at hand so as to be as well-prepared as possible in case of an audit and ensure that the audit goes as smoothly as possible, while at the same time giving the authority no cause for an in-depth review.

[July 2020]