By Karin Retzer and Joanna Lopatowska, Morrison & Foerster LLP
Inspections and data protection audits from regulators are on the rise across Europe, and this trend is likely to continue. The latest figures for 2012 show that the French data protection authority (Commission Nationale de l’Informatique et des Libertés or CNIL) completed 458 inspections, a 19 percent increase from 2011.1 The number of inspections has been steadily rising since 2004, when CNIL’s enforcement powers—and later on, its budget—were significantly increased. The Bavarian data protection authority conducted 13,404 off-site audits and 20 on-site inspections in 2012, compared to 50 off-site audits and 12 on-site inspections during the previous year.2 Perhaps not surprisingly, the number of sanctions imposed has quadrupled over the last five years. The Polish Inspector General for the Protection of Personal Data(GIODO) conducted 199 inspections in 2011,3 and the U.K.’s Information Commissioner’s Office (ICO) completed 58 audits in 2012/2013, and 42 audits in 2011/2012, compared to only 26 in the previous year.4
Companies need be proactive and take steps to dealing with a data protection audit. Any regulatory inspection is a burdensome undertaking, and inspections carry the risk of noncompliance being exposed, sanctions, adverse media attention and damage to reputation. Sometimes noncompliance is only identified after an inspection has been carried out. Even for fully compliant organizations, inspections bring disruption to the conduct of normal business.
This article provides organizations with recommendations on how to handle privacy inspections when the local data protection authority (DPA) comes knocking, and how to establish best practices to prepare for such checks and audits. It focuses specifically on on-site inspections, and describes the various steps, from the decision to inspect an organization to the final statement drawn at the end of an inspection.
Organizations are usually selected for privacy audits for one or more of the following reasons:
The enforcement powers of the DPAs are currently regulated in European Economic Area (EEA) member state laws implementing the EU Data Protection Directive (95/46/EC) (“Directive”).10 These laws differ across the EEA, which consists of the 28 European Union member states and Iceland, Liechtenstein and Norway. Although this article will not discuss this in depth, we note that this diversity of law may change in a few years’ time. The proposal for a draft “General Data Protection Regulation” published by the European Commission in January 2012 (“draft Regulation”)11, and currently under the review of the European Parliament, harmonizes and strengthens sanctions and rules on enforcement.12
The Directive sets out that each DPA is competent to exercise its powers on the territory of its own member state. However, each DPA may be requested to exercise its powers by a DPA from another member state. Furthermore, the DPAs must cooperate with one another to the extent necessary for the performance of their duties. For example, in 2012 the Estonian and Latvian DPAs published joint recommendations to an organization after they cooperated in inspecting the organization’s employee and customer data practices in the two countries.
Despite the cooperation efforts, however, the DPAs’ powers are still limited in territorial scope and do not extend beyond the territory of a member state.
Organizations that have executed Standard Contractual Clauses for transfers of personal data from controllers to processors outside the EEA,13 or those that have adopted Binding Corporate Rules (BCRs), must also agree to submit their operations to a European DPA for inspection. The U.S.-EU Safe Harbor Framework mandates such cooperation for human resources data. However, even in such cases, the DPAs do not have sufficient resources to conduct on-site inspections of non-EEA parties. Therefore, even when there is a theoretical risk of an inspection under these transfer mechanisms, in practice, we see little to no foreign inspections. For example, in 2011, the Italian DPA, the Garante per la Protezione dei Dati Personali (“Garante”), decided that non-Italian call centers that collect information from Italian residents on behalf of Italian entities are subject to the same rules that apply to Italian call centers (10 PVLR 1160, 8/15/11). However, in practice these overseas call centers were not inspected by the DPA; the Garante officials said that the inspections should be carried out at the Italian company that contracted the offshore call center. Even if, in practice, the DPAs do not have jurisdiction to inspect the non-EEA organizations, they may—and do—inspect the EEA affiliates.
In light of increasing DPA powers, the rising number of inspections, and the risks of sanctions that may follow, organizations operating in the EEA are advised not only to prepare for a planned, notified inspection, but to establish best practices, policies and procedures on how to handle all inspections.
Below we provide guidance on what organizations can do when faced with an inspection, and we set out some best practices.
Data protection audits are intended to evaluate whether an organization complies with local data protection laws and standards, including:
Most local data protection laws only contain general provisions on the DPA’s inspection powers, but some DPAs—for example in Ireland, the U.K. and Poland—have published guidance on procedures, sample questions and template documents and reports.14
An organization’s existing privacy measures and standards are key factors in handling the inspection itself. Organizations that are aware of inspection risks and are prepared for them will be able to undergo inspections with less disruption and better results.
Conduct an assessment. Knowing the status of your organization’s compliance with local laws and implementing any necessary changes are the first steps. Basic compliance involves: providing privacy notices to individuals whose personal data are collected and processed; completing database registrations; implementing written policies and procedures (e.g., on data security, data retention and access and correction); and where required, appointing data protection or data security officers. Most of these requirements take time, and cannot be implemented in a hurry right when the organization receives a notice of an inspection.
Therefore, it is prudent to regularly perform an analysis identifying and addressing any gaps in compliance as early as possible. In addition, it is useful to monitor the DPA’s enforcement trends, especially in similar industries.
The DPA inspectors often run a preliminary inspection of an organization without actually visiting the premises. For example:
A good level of privacy compliance will help prepare organizations and employees for investigations. In particular, regular training and awareness on general privacy obligations and employees’ duties will minimize any compliance gaps.
Prepare a plan and organize training. Organizations may consider developing a plan that sets out how to react in an organized way to the DPA’s visit. The plan may determine who should be notified about the inspection, establish an internal inspection or audit team, provide guidelines on handling the DPA’s questions and requests for documents and set out procedures for actions during an inspection. It is helpful if the plan sets out the basic logistics, such as what offices and resources will be made available to the inspectors. Staff should be briefed on the role they may play during an inspection. For example:
Form an inspection team. Organizations may consider creating an inspection team that includes key individuals responsible for handling the inspection (e.g., the data protection officer, the head of legal, the head of information technology (IT) and the heads of main departments such as human resources (HR) and marketing). It may be helpful to draft rules of procedure, including the composition of the team, their duties and responsibilities and the procedures that must be followed. These may include receiving and accompanying the inspectors throughout their inspection, responding to their questions, coordinating with other employees, attending interviews and coordinating daily meetings.
Members of the team should be informed immediately about the DPA’s visit. Therefore, their phone numbers should be readily available to the front office in case the team members are out of the office when an unannounced inspection takes place.
Raise awareness among employees. An organization should ensure proper awareness amongst its staff about the likelihood of privacy inspections. Employees should be informed of such a possibility so that they know what to expect. When no inspections have occurred in the past, employees may not be familiar with the procedure, or may not be at ease when interviewed by the authorities. Therefore, prior notice helps to make them aware of the inspection process and its potential impact on the organization. Prepared employees are better able to respond to the DPA’s questions and to locate the requested documents.
Notice of the inspection. While some DPAs provide advance notice, others provide little or no warning of their intention to conduct an inspection. The notification period may be greater if the inspection is routine, as opposed to complaint- or inquiry-driven. For example:
Authorization. Upon the inspectors’ arrival, the first action should be to verify their identity and their specific accreditation to conduct the inspection. The accreditation should specify the subject matter and purpose of the inspection, and the inspectors will usually produce an explanatory note. The representative of the organization should determine the scope of inspection, in particular whether there is any particular area of concern (customer service, HR, etc.), whether the inspection is the result of an infringement or planned with regard to a specific industry, what the nature of the infringement is and the planned duration of the inspection.
Duration and timing of the inspection. The duration of the inspection can be a few days to several weeks, depending on its type, the size of the organization and the country.17 Even routine inspections can take several weeks or more.
In general, the inspectors’ agenda will govern the visit. The inspectors will indicate what they would like to do and when. It is helpful to discuss the agenda with them in advance because it allows the organization to better manage the resources necessary to gather the information and to schedule employees for interviews. Planning ahead will also help to minimize disruption to business activities, and allow employees needed for interviews to reschedule other meetings.
Generally, inspectors will arrive at the organization’s premises during normal business hours. However, some laws allow inspections outside of business hours. In Poland, inspectors can enter the organization’s premises between 6 a.m. and 10 p.m. and in France between 6 a.m. and 9 p.m.
The logistics. Once the inspectors have arrived, they should be shown to a room where they can work, but they should not be left out of sight. The room should be able to accommodate the inspectors as well as a similarly sized organization team; it should also have a worktable for the documents under review, as well as a telephone, paper and pens, etc. In addition to the actual inspection room, adequate work areas for copying and stamping documents (e.g., date provided, confidentiality, etc.) should be provided.
It is also best to notify selected staff that the inspectors are on the premises, and that their assistance may be requested at short notice. It may also be useful to remind employees that they should not write any e-mails, memos or other documents about the inspection, unless asked to do so by their managers, the legal team or the inspection team.
Inspectors’ powers. The DPAs have broad authority to carry out inspections. Generally, most laws specify that the inspectors may access any place, premises, surroundings, equipment or buildings that are used to process personal data for professional purposes, and specify that they are allowed to: look at and request copies of the documents, interview staff; review and print out data that are stored electronically; perform inspection of any devices, data carriers or computer systems used for data processing; and demand written or oral explanations.
Interviews with employees. Inspectors routinely request interviews with the organization’s staff. Inspectors may request to interview a specific person. This request should not, in general, be objected to; however, sometimes, following a suggestion from the inspection team or the unavailability of an employee, the team may agree to interview another person instead. However, failure to provide the requested employees for interviews may be regarded as hindering the inspection.
When anticipating requests for employee interviews, the inspection team should consider identifying employees who are likely to be called for an interview. Meetings should be scheduled with those employees to discuss the process and the areas of possible review, identify documents that may be responsive to requests and answer any questions that they may have. Organizations should consider preparing the employees through mock interviews. The inspection team should also be present during interviews.
The meetings. If acceptable to the inspectors, it is a good practice to begin and end each day with a meeting between the inspection team and the inspectors. These meetings allow a review of the status of the inspection to ensure that the inspectors are satisfied with the information provided, to provide the inspectors with any requested documents and to discuss any new questions or requests. More senior members of the organization should attend the meetings, and members of the inspection team should be generally available throughout the whole inspection.
Minutes. It is helpful to record steps taken during an inspection, as well as any communication with the inspectors. The minutes should include each question or request from the DPA and a response to each inquiry, the name of the person who provided the response and whether the inspectors were satisfied with the response. Minutes create a record that can be used to dispute inspectors’ conclusions (e.g., inaccurate claims that the company withheld information or failed to answer questions), and can also be used to prepare for future inspections.
Hindering the inspection. There are certain areas where the organization has the right to object or the right to redact certain confidential information. However, objecting to the inspectors’ requests, denying access to premises or documents or any other hindrance to the inspection of certain areas will likely be thought of as resisting the inspection and can lead to a negative outcome for the organization or its representatives. In some countries, obstruction of a DPA inspection or investigation may incur administrative or even criminal penalties:
After the inspection, the members of the inspection team should: run a preliminary assessment to determine whether the explanations concerning any documents that were withheld or any other reservations made should be sent to the DPA; whether the documents supplied or explanations given were sufficient or whether further documents should be submitted; whether there are any factors relevant to the inspection that may not have been apparent to the inspectors; and whether it is necessary to correct any unfavorable inferences or impressions that the inspectors may have drawn.
Depending on the outcome of the inspection (and in particular if sanctions are likely), the inspection team will need to determine what actions must be taken in order to remediate the violations.
Protocol. At the end of the inspection, the inspectors will present a final protocol including the records and the findings of the inspection. Some laws, e.g., French and Polish laws, include detailed content of such protocol.
The outcome of the inspection. The outcome of the inspection and its consequences may greatly vary among the member states.
Following the inspection, the DPA may ask the organization for additional information. The DPA may also find that the organization has complied with the law. In such case corrective measures are not ordered, nor are sanctions imposed, and the organization is informed about the closure of the investigation. The inspection will, however, usually be followed by a DPA’s decision, including the findings, recommendations or orders and, where necessary, sanctions. The following measures may be imposed or ordered:
Any noncompliance identified should be promptly addressed, and in any case within any time frame provided by the DPA. The corrective actions should be documented. It is also wise to inform the DPA of the actions taken and of the implementation of the recommendations to limit the risk of a post-checking inspection.
Appeal. Generally, when the organization does not agree with the findings of the DPA or the sanctions imposed, it can question the decision in a court proceeding. However, this is not always the case. For example, in Poland in 2011, only 10 percent of decisions were appealed.
Follow-up. Organizations that have been inspected may expect to be contacted by the DPA to establish what actions have been taken to implement the recommendations as set out in the final audit report. Follow-up inquiries are often conducted in writing, and will usually involve the provision of additional documentation or sample data sets.
Karin Retzer is of counsel to Morrison & Foerster LLP, in Brussels, where her practice focuses on electronic commerce and data protection, technology licensing and intellectual property law.
Joanna Lopatowska is an associate in the Privacy and Data Security Group in Morrison & Foerster’s Brussels office.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. The Bureau of National Affairs, Inc. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.
©2014 The Bureau of National Affairs, Inc. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of The Bureau of National Affairs, Inc.
To view additional stories from Bloomberg Law® request a demo now