The Liech­ten­stein Data Pro­tec­tion Aut­ho­ri­ty descri­bes the cour­se of a data pro­tec­tion audit

Con­trol­lers and pro­ces­sors typi­cal­ly have an inte­rest in avo­i­ding data pro­tec­tion audits, or at least ensu­ring that they go as smooth­ly as pos­si­ble. A recent publi­ca­ti­on from the Data Pro­tec­tion Aut­ho­ri­ty of the Prin­ci­pa­li­ty of Liech­ten­stein affords insight into pos­si­ble occa­si­ons for an audit and the docu­ments which will be reques­ted over the cour­se of the audit.

The docu­ment issued by the Liech­ten­stein Data Pro­tec­tion Aut­ho­ri­ty bears the some­what clun­ky title “Pro­cess Descrip­ti­on for Data Pro­tec­tion Audits” (PDF / only in ger­man) and is dated 19 June 2020. Right at the begin­ning of this docu­ment from the Liech­ten­stein Data Pro­tec­tion Aut­ho­ri­ty, which is respon­si­ble for both pri­va­te indi­vi­du­als and public enti­ties, is an expl­ana­ti­on of the legal frame­work for data pro­tec­tion audits  in accordance with the GDPR, as well as pos­si­ble occa­si­ons for an audit.

Occa­si­ons for an audit

Accor­ding to this expl­ana­ti­on, audits may be prompt­ed e.g. by com­plaints or by infor­ma­ti­on obtai­ned by the aut­ho­ri­ty. But the Data Pro­tec­tion Aut­ho­ri­ty also con­ducts pre­ven­ti­ve, or unpro­mpt­ed, audits on an ex offi­cio basis. Accor­ding to the Liech­ten­stein Data Pro­tec­tion Aut­ho­ri­ty, the decisi­ve fac­tor which goes into the sel­ec­tion of con­trol­lers for an audit is the risk ari­sing from data pro­ces­sing. In par­ti­cu­lar, the aut­ho­ri­ty takes into account the fol­lo­wing sources and cri­te­ria in making this assessment:

  • the processor’s website;
  • acti­vi­ty reports, annu­al reports and other publicly available infor­ma­ti­on published by the processor;
  • past cont­acts with the rele­vant enti­ty which reve­al an ina­de­qua­te under­stan­ding of data protection;
  • the intro­duc­tion of new types of data pro­ces­sing for which the­re are spe­ci­fic public con­cerns about a pos­si­ble inva­si­on of privacy;
  • the scope and type of per­so­nal data to be processed;
  • the num­ber, type and con­tent of com­plaints against a spe­ci­fic cate­go­ry of processors;
  • the results of past data pro­tec­tion audits;
  • media reports.

Audits may also be con­duc­ted at the request of a con­trol­ler or pro­ces­sor, based on a sta­tu­to­ry man­da­te or as part of a coor­di­na­ted joint audit con­duc­ted in con­junc­tion with other Euro­pean super­vi­so­ry authorities.

Cour­se of the audit

The data pro­tec­tion audit its­elf is bro­ken down into six steps, wher­eby the aut­ho­ri­ty expli­cit­ly pro­vi­des for one or more steps to be repea­ted in some cases, or for steps to be skip­ped over. The cour­se of an audit by the Liech­ten­stein Data Pro­tec­tion Aut­ho­ri­ty con­sists of the fol­lo­wing steps:

  • Cont­act and announcement
  • Docu­ment check
  • On-site inspec­tion (optio­nal)
  • Audit report
  • Reme­dies and order
  • Follow-up check

Of spe­cial inte­rest: the docu­ment check

Of all the steps men­tio­ned in the detail­ed pre­sen­ta­ti­on in this docu­ment from the Data Pro­tec­tion Aut­ho­ri­ty, the one which is of grea­test inte­rest to con­trol­lers is the second, the “docu­ment check.” In this step, not only does the aut­ho­ri­ty obtain infor­ma­ti­on and state­ments from the con­trol­ler or pro­ces­ser by means of a ques­ti­on­n­aire, but it also requi­res the sub­ject of the audit to pre­sent num­e­rous docu­ments, to be pro­vi­ded eit­her elec­tro­ni­cal­ly or in paper form. The con­trol­ler is requi­red to send over the fol­lo­wing documents:

  • records of pro­ces­sing acti­vi­ties (Artic­le 30(4) of the GDPR);
  • infor­ma­ti­on pro­vi­ded to data sub­jects (Artic­les 13 and 14 of the GDPR);
  • model decla­ra­ti­ons of con­sent (Artic­le 7 of the GDPR);
  • infor­ma­ti­on about data pro­tec­tion trai­ning pro­vi­ded to employees;
  • con­tracts with pro­ces­sors (Artic­le 28(3) of the GDPR) and other cur­rent agree­ments with ser­vice pro­vi­ders which come into cont­act with per­so­nal data (e.g. hard­ware and sup­pli­er sup­pli­ers, appli­ca­ti­on ser­vice pro­vi­ders), with an empha­sis on pro­vi­si­ons rela­ting to data protection;
  • docu­men­ta­ti­on of data brea­ches (Artic­le 33(5) of the GDPR);
  • data pro­tec­tion impact assess­ments (Artic­le 35 of the GDPR).

If the audit also covers tech­ni­cal and orga­niza­tio­nal data pro­tec­tion mea­su­res, the con­trol­ler or pro­ces­sor will also typi­cal­ly be requi­red to pro­vi­de the fol­lo­wing addi­tio­nal documents:

  • an orga­niza­tio­nal chart of depart­ments enga­ged in data processing;
  • the audit subject’s data pri­va­cy poli­cy, IT secu­ri­ty stra­tegy and con­tin­gen­cy plans;
  • audit reports and assess­ments from other enti­ties, par­ti­cu­lar­ly tho­se rela­ting to the scope of the audit with regard to infor­ma­ti­on tech­no­lo­gy in general;
  • basic docu­men­ta­ti­on of IT infra­struc­tu­re, and par­ti­cu­lar­ly the soft­ware and hard­ware used by the audit subject;
  • the aut­ho­riza­ti­on con­cept, par­ti­cu­lar­ly an expl­ana­ti­on of access rights pro­vi­ded to admi­nis­tra­tors, exter­nal employees and ser­vice pro­vi­ders or other (exter­nal) entities;
  • ins­truc­tions to users for use of IT equipment;
  • non-disclosure agree­ments and other rele­vant instructions;
  • arran­ge­ments con­cer­ning dura­ti­on of sto­rage and dele­ti­on of per­so­nal data (dele­ti­on concept).

Sum­ma­ry and recommendation

The “Pro­cess Descrip­ti­on for Data Pro­tec­tion Audits” from the Liech­ten­stein Data Pro­tec­tion Aut­ho­ri­ty affords inte­res­t­ing insight into the mode of ope­ra­ti­on which data pro­tec­tion aut­ho­ri­ties will adopt in their audi­ting acti­vi­ties. Of par­ti­cu­lar inte­rest for con­trol­lers and pro­ces­sors, asi­de from the cir­cum­s­tances which may prompt an audit in the first place, are the docu­ments which the data pro­tec­tion aut­ho­ri­ty will request over the cour­se of the audit. Con­trol­lers and pro­ces­sors can learn from this docu­ment, first of all, that avo­i­ding com­plaints and reports of poten­ti­al data brea­ches will mini­mi­ze the risk of an audit by the data pro­tec­tion aut­ho­ri­ty. It may also be pos­si­ble to lower the risk of pre­ven­ti­ve, or unpro­mpt­ed, audits to a cer­tain ext­ent by influen­cing the cri­te­ria for sel­ec­tion. Con­trol­lers and pro­ces­sors can also keep the docu­ments which will be reques­ted by the data pro­tec­tion aut­ho­ri­ty in the docu­ment check clo­se at hand so as to be as well-prepared as pos­si­ble in case of an audit and ensu­re that the audit goes as smooth­ly as pos­si­ble, while at the same time giving the aut­ho­ri­ty no cau­se for an in-depth review.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.